将mysql_real_escape_string与PDO一起使用(不连接到本地主机服务器) [英] Using mysql_real_escape_string with PDO (no connection to localhost server)
问题描述
所以我很偏执,并且将mysql_real_escape_string()与PDO一起使用.我实际上不在PDO中使用准备好的语句,所以我必须清理输入.
So I'm fairly paranoid and use mysql_real_escape_string() with PDO. I actually don't use prepared statements in PDO, so I do have to sanitize the inputs.
在我自己的服务器上托管时,我将在本地计算机上创建一个非特权用户,这样mysql_real_escape_string()不会失败并清空我的变量(嘿,现在那是清除!).我意识到这是一个非常失败的解决方案,因为如果数据库中没有匹配的字符集,那么根本就没有必要进行清理,但它可以临时解决问题.
When hosting on my own server, I'd create an unprivileged user on the local machine so mysql_real_escape_string() wouldn't fail and empty my variable (heh, now that's sanitization!). I realize this is a pretty fail solution, since if the db's don't have matching charsets, then there's no point to the sanitizing at all, but it worked for the interim.
现在在我的新主机上,我无法为数据库创建无密码,无特权的用户...,并且mysql_real_escape_string()失败,因为本地计算机上没有mysql服务器.我无法编辑php.ini为默认数据库设置主机名/用户/密码.
Now at my new host, I can't create an unpassworded, unprivileged user for the database... and mysql_real_escape_string() fails because there is no mysql server on the local machine. I can't edit php.ini to set the hostname/user/pass for the default database.
我该怎么办?
在撰写本文时集思广益,我想知道php是否允许运行时更改配置...也许...人力资源管理.
编辑:嗯... ini_set()? :O
Brainstorming as I am writing this, I am wondering if php allows runtime changes to the config... maybe... hrm.
Edit: Hm... ini_set()? :O
推荐答案
像这样混合两个数据库库是一个坏主意,并且可能是不安全的.
Mixing two database libraries like this is a bad idea and potentially unsafe.
mysql_real_escape_string()需要一个现有的经典mysql_connect()数据库连接(可以从中获取字符集信息)以完全安全. PDO连接将是单独的,可能具有不同的字符集设置,最终导致 less 安全性:
mysql_real_escape_string() needs an existing, classic mysql_connect() database connection (which it can get character set info from) to be totally safe. The PDO connection will be separate, possibly with different character set settings, ultimately resulting in less security:
在使用mysql_real_escape_string()之前需要MySQL连接,否则将生成E_WARNING级错误,并返回FALSE.如果未定义link_identifier,则使用最后一个MySQL连接.
A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used.
一路使用PDO,别无选择.
Use PDO all the way, there's no alternative.
如果您不想使用准备好的语句,请 PDO::quote 应该是正确的功能:
If you don't want to use prepared statements, PDO::quote should be the correct function:
返回一个带引号的字符串,该字符串在理论上可以安全地传递到SQL语句中.
Returns a quoted string that is theoretically safe to pass into an SQL statement.
但是请注意,即使是该功能的手册页也建议改用准备好的语句.
Note however that even the manual page for that function recommends using prepared statements instead.
这篇关于将mysql_real_escape_string与PDO一起使用(不连接到本地主机服务器)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
