什么是函数 mysql_real_escape_string 的 PDO 等价物? [英] What is the PDO equivalent of function mysql_real_escape_string?

问题描述

我正在将我的代码从使用 mysql_* 修改为 PDO.在我的代码中，我有 mysql_real_escape_string().这在 PDO 中的等价物是什么?

I am modifying my code from using mysql_* to PDO. In my code I had mysql_real_escape_string(). What is the equivalent of this in PDO?

推荐答案

好吧，不，没有！

技术上有 PDO::quote() 但它很少被使用，并且不等同于 mysql_real_escape_string()

Technically there is PDO::quote() but it is rarely ever used and is not the equivalent of mysql_real_escape_string()

没错！如果您已经按照使用 prepared statements，然后它将保护您免受 MySQL 注入.

That's right! If you are already using PDO the proper way as documented using prepared statements, then it will protect you from MySQL injection.

以下是使用准备好的语句 (pdo) 的 安全 数据库查询示例

Below is an example of a safe database query using prepared statements (pdo)

  try {
     // first connect to database with the PDO object. 
     $db = new \PDO("mysql:host=localhost;dbname=xxx;charset=utf8", "xxx", "xxx", [
       PDO::ATTR_EMULATE_PREPARES => false, 
       PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
     ]); 
 } catch(\PDOException $e){
     // if connection fails, show PDO error. 
   echo "Error connecting to mysql: " . $e->getMessage();
 }

而且，现在假设连接已建立，您可以像这样执行查询.

And, now assuming the connection is established, you can execute your query like this.

if($_POST && isset($_POST['color'])){ 

    // preparing a statement
    $stmt = $db->prepare("SELECT id, name, color FROM Cars WHERE color = ?");

    // execute/run the statement. 
    $stmt->execute(array($_POST['color']));

    // fetch the result. 
    $cars = $stmt->fetchAll(\PDO::FETCH_ASSOC); 
    var_dump($cars); 
 }

现在，正如您可能知道的，我没有使用任何东西来对 $_POST["color"] 的值进行转义/清理.由于 PDO 和准备好的语句的强大功能，这段代码是安全的，不会被 myql 注入.

Now, as you can probably tell, I haven't used anything to escape/sanitize the value of $_POST["color"]. And this code is secure from myql-injection thanks to PDO and the power of prepared statements.

值得注意的是，出于安全原因，您应该将 charset=utf8 作为属性传递，在您的 DSN 中，如上所示，并始终启用PDO 以异常的形式显示错误.

It is worth noting that you should pass a charset=utf8 as attribute, in your DSN as seen above, for security reasons, and always enable PDO to show errors in the form of exceptions.

PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION

因此您的数据库查询错误不会泄露您的目录结构、数据库用户名等敏感数据.

so errors from you database queries won't reveal sensitive data like your directory structure, database username etc.

最后但并非最不重要的一点是，有些时候您不应该 100% 信任 PDO，并且必然会采取一些额外措施来防止 sql 注入，其中一种情况是，如果您使用的是过时版本的 mysql <代码>[mysql =<5.3.6 ] 如所述在这个答案中

Last but not least, there are moments when you should not trust PDO 100%, and will be bound to take some extra measures to prevent sql injection, one of those cases is, if you are using an outdated versions of mysql [ mysql =< 5.3.6 ] as described in this answer

但是，使用如上所示的准备好的语句总是比使用任何以 mysql_

But, using prepared statements as shown above will always be safer, than using any of the functions that start with mysql_

好书

这篇关于什么是函数 mysql_real_escape_string 的 PDO 等价物?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！