如何通过PHP和mysql正确转义字符串 [英] How to properly escape a string via PHP and mysql
问题描述
有人可以解释在字符串上使用mysql_real_escape_string或在列周围包装有什么区别。
例如insert into table(``column``)values('$ string') / p>
或
$ escapestring = mysql_real_escape_string($ string);
insert into table(column)values('$ escapedstring')
这两者之间的区别,我应该使用什么?感谢。
反引号`和单引号'之间有一个区别。
反引号用于转义可能与MySQL保留字冲突的表和字段名称。如果我有一个名为 date 的字段和一个像 SELECT date FROM mytable 的查询,我需要转义使用 date ,这样当MySQL解析查询时,它会解释我使用 date 作为
'用于文字值,如 SELECT * FROM mytable WHERE somefield ='somevalue'。如果 somevalue 本身包含单引号,则需要对它们进行转义以防止引用文字过早关闭。
Can someone explain what is the difference between using mysql_real_escape_string on a string or wrapping `` around the column.
For example "insert into table (``column``) values ('$string')"
or
$escapestring = mysql_real_escape_string($string);
"insert into table (column) values ('$escapedstring')"
What is the difference between these two and what should I use? Thanks.
There's a difference between the backtick ` and the single quote '.
The backtick is intended to escape table and field names that may conflict with MySQL reserved words. If I had a field named date and a query like SELECT date FROM mytable I'd need to escape the use of date so that when MySQL parses the query, it will interpret my use of date as a field rather than the datatype date.
The single quote ' is intended for literal values, as in SELECT * FROM mytable WHERE somefield='somevalue'. If somevalue itself contains single quotes, then they need to be escaped to prevent premature closing of the quote literal.
这篇关于如何通过PHP和mysql正确转义字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
