mysqli_real_escape_string安全吗? [英] Is mysqli_real_escape_string safe?

问题描述

我是PHP的新手，我意识到使用php表单(带有用户名和口令文本输入)的数据库连接是完全不安全的:

I´m new in PHP and I´ve realised that my database connection, using a php form (with user and pass text inputs) was totally unsafe:

这是可行的，但不安全:

This was working, but was unsafe:

<?php
$link=mysqli_connect('localhost','xx','xx','xx');
$sql='  SELECT * FROM usuarios 
        WHERE username="'.$_POST['usuario'].'" 
        AND pass="'.$_POST['usuario'].'"
     ';
$rs=mysqli_query($link,$sql);
mysqli_close($link);
?>

因此，我已经阅读了有关mysqli_real_escape_string的信息，并决定尝试一下:

So, I´ve read about mysqli_real_escape_string, and decided to try it out:

<?php    
$link=mysqli_connect('localhost','xx','xx','xx');
$usuario=mysqli_real_escape_string($link, $_POST["usuario"]);
$clave=mysqli_real_escape_string($link, $_POST["clave"]);
$sql='  SELECT * FROM usuarios 
        WHERE username="'.$usuario.'" 
        AND pass="'.$clave.'"
     ';
$rs=mysqli_query($link,$sql);
mysqli_close($link);
?>

这是正确的吗?这是一个如何使用mysqli_real_escape_string的好例子吗?

Is this correct? Is this a good example of how to use mysqli_real_escape_string?

推荐答案

这是正确的吗?

Is this correct?

是的

这是如何使用mysqli_real_escape_string的一个很好的例子吗?

Is this a good example of how to use mysqli_real_escape_string?

否

如果使用过此函数，则必须将其封装到某些内部处理中，而不必从应用程序代码中直接调用它.必须使用占位符来表示查询中的数据:

NO

If ever used, this function have to be encapsulated into some inner processing, and never have to be called right from the application code. A placeholder have to be used instead, to represent data in your query:

$sql='SELECT * FROM usuarios WHERE username=? AND pass=?';

然后，在处理占位符标记时，可以应用此功能 (如果适用)，但不能单独应用，而是遵循所有格式设置规则.

And then, upon processing placeholder marks, this function may be applied (if applicable) but not by itself but along ALL the formatting rules.

这篇关于mysqli_real_escape_string安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！