mysql使用addslashes() [英] The mysql use of addslashes()
问题描述
Possible Duplicate:
What does mysql_real_escape_string() do that addslashes() doesn't?
如果要防止SQL注入,则要做的第一件事是使用mysql_real_escape_string.可以使用addslashes()注入数据库吗?
If you are trying to prevent sql injection, the first thing you would do is use mysql_real_escape_string. Is it possible to inject a database using addslashes()?
推荐答案
addslashes与str_replace($str, "'", "\\'")大致等效.您可以使用在mysql中评估为'的任意数量的unicode序列轻松地绕过它,但是看起来与addslashes()完全不同.
addslashes is the rough equivalent of str_replace($str, "'", "\\'"). You can bypass it trivially with any number of unicode sequences that evaluate down to ' in mysql, but look completely different to addslashes().
Mysql_real_escape_String()使用实际的内部mysql转义功能,该功能确切知道要查找的内容并进行修复以使其对mysql是安全的".适用于mysql的方法可能不适用于另一个数据库,因为每个数据库的转义语义和要求都略有不同,但是如果您使用的是mysql,则真正的转义字符串"是解决之道.
Mysql_real_escape_String() on the other hand, uses the actual internal mysql escaping function, which knows exactly what to look for and fix to make it "safe" for mysql. What works for mysql may not work for another database, as each has slightly different escaping semantics and requirements, but if you're working with mysql, then the "real escape string" is the way to go.
这篇关于mysql使用addslashes()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
