mysqli_real_escape_string，我应该使用它吗? [英] mysqli_real_escape_string, should I use it?

问题描述

我想消除SQL注入，应该使用mysqli_real_escape_string()还是在mysqli中清楚? 例如

I want to eliminate sql injection, should I use mysqli_real_escape_string() or is it clear in mysqli? For example

$nick = mysqli_real_escape_string($_POST['nick'])

推荐答案

您应使用准备好的语句，并将字符串数据作为参数传递，但是您不应转义它.

You should use prepared statements and pass string data as a parameter but you should not escape it.

此示例摘自文档:

/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {

    /* bind parameters for markers */
    $stmt->bind_param("s", $city);

    /* execute query */
    $stmt->execute();

    /* bind result variables */
    $stmt->bind_result($district);

    /* fetch value */
    $stmt->fetch();

    printf("%s is in district %s\n", $city, $district);

    /* close statement */
    $stmt->close();
}

请注意，该示例不会不调用mysqli_real_escape_string.如果直接在查询中嵌入字符串，则只需要使用mysqli_real_escape_string，但是我建议您不要这样做.尽可能始终使用参数.

Note that the example does not call mysqli_real_escape_string. You would only need to use mysqli_real_escape_string if you were embedding the string directly in the query, but I would advise you to never do this. Always use parameters whenever possible.

相关

• 如何防止PHP中的SQL注入?

这篇关于mysqli_real_escape_string，我应该使用它吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！