替代 mysql_real_escape_string 而不连接到数据库 [英] Alternative to mysql_real_escape_string without connecting to DB

问题描述

我想要一个不连接到数据库就可以像 mysql_real_escape_string 一样运行的函数，因为有时我需要在没有数据库连接的情况下进行干测试.mysql_escape_string 已被弃用，因此是不可取的.我的一些发现:

I'd like to have a function behaving as mysql_real_escape_string without connecting to database as at times I need to do dry testing without DB connection. mysql_escape_string is deprecated and therefore is undesirable. Some of my findings:

http://www.gamedev.net/community/forums/topic.asp?topic_id=448909

http://w3schools.invisionzone.com/index.php?showtopic=20064

推荐答案

没有数据库连接就不可能安全地转义字符串.mysql_real_escape_string() 和准备好的语句需要连接到数据库，以便它们可以使用适当的字符集对字符串进行转义 - 否则仍然可能使用多字节字符进行 SQL 注入攻击.

It is impossible to safely escape a string without a DB connection. mysql_real_escape_string() and prepared statements need a connection to the database so that they can escape the string using the appropriate character set - otherwise SQL injection attacks are still possible using multi-byte characters.

如果你只是测试，那么你也可以使用mysql_escape_string()，它不能100%保证防止SQL注入攻击，但不可能构建任何更安全的东西没有数据库连接.

If you are only testing, then you may as well use mysql_escape_string(), it's not 100% guaranteed against SQL injection attacks, but it's impossible to build anything safer without a DB connection.

这篇关于替代 mysql_real_escape_string 而不连接到数据库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！