mysql_real_escape_string（）是否损坏？ [英] Is mysql_real_escape_string() broken?

问题描述

有些人认为， mysql_real_escape_string（）有一些缺陷，即使正确使用也无法保护您的查询。

带来一些化石文章作为证明。

问题是：mysql [i] _real escape_string（）完全不可接受？

还是使用这个函数来创建你自己的准备语句呢？

请输入验证码

解决方案

p>从 MySQL的C API函数 mysql_real_escape_string 描述：

如果您需要更改连接，您应该使用 mysql_set_character_set（） 函数，而不是执行 SET NAMES （或 SET CHARACTER SET ）语句。 mysql_set_character_set（） 像 SET NAMES 一样工作，但也影响 mysql_real_escape_string（） ，其中 SET NAMES 不。

所以不要使用 SET NAMES / SET CHARACTER SET ，但 PHP's mysql_set_charset 来更改编码，就像MySQL的 mysql_set_character_set 的对应项一样（参见源代码 /ext/mysql/php_mysql.c ）。

Some people believe that mysql_real_escape_string() has some flaws and cannot protect your query even when properly used.
Bringing some fossilized articles as a proof.

So, the question is: is mysql[i]_real escape_string() totally unacceptable?
Or is it's still possible to use this function to create your own kind of prepared statements?

With proofcode, please.

解决方案

From the MySQL’s C API function mysql_real_escape_string description:

If you need to change the character set of the connection, you should use the mysql_set_character_set() function rather than executing a SET NAMES (or SET CHARACTER SET) statement. mysql_set_character_set() works like SET NAMES but also affects the character set used by mysql_real_escape_string(), which SET NAMES does not.

So don’t use SET NAMES/SET CHARACTER SET but PHP’s mysql_set_charset to change the encoding as that is the counterpart to MySQL’s mysql_set_character_set (see source code of /ext/mysql/php_mysql.c).

这篇关于mysql_real_escape_string（）是否损坏？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！