什么时候应该使用PHP mysqli_real_escape_string()函数? [英] When Should I Use PHP mysqli_real_escape_string() Function?
问题描述
我知道mysqli_real_escape_string函数可用于防止SQL注入. (但是,mysql_real_escape_string()不会保护您免受某些注入)
I know that mysqli_real_escape_string Function can be used to prevent SQL injections. ( However, mysql_real_escape_string() will not protect you against some injections)
我的问题是我何时应该使用mysqli_real_escape_string()函数?
My question is when should I use mysqli_real_escape_string() function?
情况01
我有一个注册表单,其中包含4个字段,分别为名字,姓氏,电子邮件和密码.
I have a registration form with 4 fields called First Name, Last Name, Email, Password.
我也应该使用mysqli_real_escape_string()插入查询吗?所有四个字段?
Should I use mysqli_real_escape_string() to insert query also? All four fields?
还是足以用于登录表单?
Or is it enough to use in login form?
情况02
我有一个个人资料页面,例如 profile.php?user_name = damith
I have a profile page like profile.php?user_name=damith
我在此页面的许多功能中使用了 $ _ GET ['user_name'] .
I have used $_GET['user_name'] in many functions in this page.
我应该在所有这些函数中使用mysqli_real_escape_string()吗?
Should I use mysqli_real_escape_string() in all those functions?
推荐答案
mysqli_real_escape_string()不再是确保您保存在数据库中的数据安全的最佳方法.相反,您应该使用准备好的语句: http://php.net /manual/en/mysqli.quickstart.prepared-statements.php
mysqli_real_escape_string() is no longer the best way to ensure the data you save in your database is safe. Instead, you should be using prepared statements: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
关于您的问题:每当您将不确定的数据(尤其是该数据来自Web表单等未知来源)放入数据库时,都应确保为数据库正确格式化了数据. mysqli_real_escape_string()只能对字符串文字执行此操作,这就是为什么预处理语句是更好的方法.每当执行依赖于用户提交的数据的查询时,都应该使用准备好的语句.
As to your question: Anytime you are putting data that you are unsure of (especially if that data comes from unknown sources like a web form) into your database you should be making sure that it is properly formatted for your database. mysqli_real_escape_string() can only do that for string literals which is why prepared statements are the better approach. Anytime you execute a query that relies on user submitted data, you should be using prepared statements.
当输出数据显示给用户时,不需要使用mysqli_real_escape_string(),而应使用htmlspecialchars()(
When you output data to display to the user, you don't need to use mysqli_real_escape_string(), but should instead be escaping for the web using htmlspecialchars() (http://php.net/htmlspecialchars)
情况1-肯定会,甚至更好的方法是使用准备好的语句.
situation 1 - YES DEFINITELY, and even better would be to use prepared statements.
情况2-如果要在网页上向用户显示数据,则无需使用mysqli_real_escape_string(),而应使用htmlspecialchars()来降低XSS和其他代码注入攻击的风险.
situation 2 - If you are displaying data to the user on a web page, you do not need to use mysqli_real_escape_string() but should instead use htmlspecialchars() to decrease the risk of XSS and other code injection attacks.
一些例子:
<?php
// Prepared statement. Save the user's first name to the database:
$stmt = $mysqli->prepare("INSERT INTO users(first_name) VALUES (?)");
$stmt->bind_param("s", $first_name);
$stmt->execute();
// Echo the user's first name back to them
echo "Saved your first name: " .
htmlspecialchars($first_name) . " to the database.";
For more information on preventing SQL injection, see this excellent answer: How can I prevent SQL injection in PHP?
这篇关于什么时候应该使用PHP mysqli_real_escape_string()函数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
