使用MySQLi的real_escape_string作为静态函数 [英] Using MySQLi's real_escape_string as a static function

问题描述

我想知道是否可以在不首先创建对象实例以将函数应用到的情况下转义字符串(使用real_escape_string)?

I'm wondering if I could escape strings (using real_escape_string) without first creating an object instance to apply the function to?

即，我们可以这样做:

$database = new mysqli(DB_HOST,DB_USER,DB_PASS,DB_NAME);
$database->real_escape_string($query);
$database->query($query)

等

但是，为了保持应用程序内的一致性，我想做的是拥有一个主要是静态数据库类，它是MySQLi类的扩展，因此我可以调用:database::real_escape_string($query)，一个静态方法.

However, what I'm trying to do for consistency within my application, is to have a mostly static database class which is an extension of the MySQLi class, so that I could call: database::real_escape_string($query), a static method.

我确实意识到我可以构建一个无需MySQL即可手动转义字符串的函数.

I do realise that I could build a function which escapes the string manually without MySQL.

推荐答案

简短的答案是:否.

长答案是:嗯，不建议这样做，原因很简单-MySQLi的实际转义考虑了字符编码，因为某种SQL注入技术使用和滥用字符编码来绕过常见过滤器.这要求代码同时知道原始(PHP)字符集和接收(MySQL)字符集配置.这就是为什么不能静态调用它的原因(并且只有在拥有有效的服务器链接之前才能调用它)！

The long answer is: Well, it's not recommended, for a simple reason - MySQLi's real escape takes into account character encoding, as a certain kind of SQL injection techniques use and abuse of character encoding to bypass common filters. This requires the code to know both the originating (PHP) charset and the receiving (MySQL) charset configurations. This is why it cannot be called statically (and cannot be called until you have a valid link to the server)!

我也避免使用它的程序版本，因为它通过有效地获取您所连接的最后一台服务器来简单地隐藏"字符集，一旦您进行交易，就会带来很多有趣的东西同时具有多个数据库连接.

I'd also avoid the procedural version of it, as it simply does the "charset" bit under-the-hood by effectively taking the last server that you connected to, which can lead to fun stuff once you're dealing with multiple database connections simultaneously.

这篇关于使用MySQLi的real_escape_string作为静态函数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！