mysqli_real_escape_string,我应该使用它吗? [英] mysqli_real_escape_string, should I use it?
问题描述
我想消除SQL注入,应该使用mysqli_real_escape_string()
还是在mysqli中清楚?
例如
I want to eliminate sql injection, should I use mysqli_real_escape_string()
or is it clear in mysqli?
For example
$nick = mysqli_real_escape_string($_POST['nick'])
推荐答案
您应使用准备好的语句,并将字符串数据作为参数传递,但是您不应转义它.
You should use prepared statements and pass string data as a parameter but you should not escape it.
此示例摘自文档:
/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {
/* bind parameters for markers */
$stmt->bind_param("s", $city);
/* execute query */
$stmt->execute();
/* bind result variables */
$stmt->bind_result($district);
/* fetch value */
$stmt->fetch();
printf("%s is in district %s\n", $city, $district);
/* close statement */
$stmt->close();
}
请注意,该示例不会不调用mysqli_real_escape_string
.如果直接在查询中嵌入字符串,则只需要使用mysqli_real_escape_string
,但是我建议您不要这样做.尽可能始终使用参数.
Note that the example does not call mysqli_real_escape_string
. You would only need to use mysqli_real_escape_string
if you were embedding the string directly in the query, but I would advise you to never do this. Always use parameters whenever possible.
相关
这篇关于mysqli_real_escape_string,我应该使用它吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!