Wordpress:wpdb-> insert VERSUS wpdb-> prepare(wpdb-> query(" INSERT [英] Wordpress: wpdb->insert VERSUS wpdb->prepare(wpdb->query("INSERT
问题描述
我想知道如果wordpress的插入函数也添加斜线到数据。如果不是,似乎准备查询方法将更好地防止SQL注入。我试着在那里看这个问题codex / api;然而,它似乎没有文件。
谢谢!
I am wondering if wordpress' insert function also adds slashes to data. If it doesn't it would seem that the prepare query method would be better to prevent against SQL injection. I tried looking the issue up in there codex/api; however, it seems undocumented. Thanks!
推荐答案
Wordpress使用 ezSQL 查询数据库。从技术上讲,它不是一个抽象层,但它会带走一些样板代码。 ezSQL有一个函数 escape
,所以我假设Wordpress总是在执行查询之前调用转义函数。但是要确保你必须看看源代码。
Wordpress uses ezSQL to query the database. Technically, it is not an abstraction layer but it does take away some of the boilerplate code. ezSQL has a function escape
so I assume that Wordpress would always call the escape function before executing a query. But to be certain you would have to take a look at the source code.
这是您在Wordpress中转义字串的方法:
$ safe_string = $ wpdb-> escape($ unsafe_string );
This is how you escape a string in Wordpress:
$safe_string = $wpdb->escape($unsafe_string);
这篇关于Wordpress:wpdb-> insert VERSUS wpdb-> prepare(wpdb-> query(" INSERT的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!