mysql_real_escape_string()是否损坏? [英] Is mysql_real_escape_string() broken?
问题描述
有些人认为, mysql_real_escape_string()
有一些缺陷,即使正确使用也无法保护您的查询。
带来一些化石文章作为证明。
问题是:mysql [i] _real escape_string()完全不可接受?
还是使用这个函数来创建你自己的准备语句呢?
请输入验证码
p>从 MySQL的C API函数 mysql_real_escape_string
描述:
如果您需要更改连接,您应该使用
mysql_set_character_set()
函数,而不是执行SET NAMES
(或SET CHARACTER SET
)语句。mysql_set_character_set()
像SET NAMES
一样工作,但也影响mysql_real_escape_string()
,其中SET NAMES
不。
所以不要使用 SET NAMES
/ SET CHARACTER SET
,但 PHP's mysql_set_charset
来更改编码,就像MySQL的 mysql_set_character_set
的对应项一样(参见源代码 /ext/mysql/php_mysql.c )。
Some people believe that mysql_real_escape_string()
has some flaws and cannot protect your query even when properly used.
Bringing some fossilized articles as a proof.
So, the question is: is mysql[i]_real escape_string() totally unacceptable?
Or is it's still possible to use this function to create your own kind of prepared statements?
With proofcode, please.
From the MySQL’s C API function mysql_real_escape_string
description:
If you need to change the character set of the connection, you should use the
mysql_set_character_set()
function rather than executing aSET NAMES
(orSET CHARACTER SET
) statement.mysql_set_character_set()
works likeSET NAMES
but also affects the character set used bymysql_real_escape_string()
, whichSET NAMES
does not.
So don’t use SET NAMES
/SET CHARACTER SET
but PHP’s mysql_set_charset
to change the encoding as that is the counterpart to MySQL’s mysql_set_character_set
(see source code of /ext/mysql/php_mysql.c).
这篇关于mysql_real_escape_string()是否损坏?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!