什么时候不应该使用mysql_real_escape_string [英] When should I NOT use mysql_real_escape_string

问题描述

我看到了此评论.... http://www.php.net/manual/zh/function.mysql-real-escape-string.php#93005

I saw this comment.... http://www.php.net/manual/en/function.mysql-real-escape-string.php#93005

开始怀疑为什么这是个坏主意.

And began to wonder why this would be a bad idea.

推荐答案

由于以下几个原因，这是个坏主意:

It's a bad idea for a couple reasons:

• 首先，它假设您的输入 将永远进入 数据库和单独进入数据库. 如果要使用某些东西怎么办 在HTML输出中?还是在电子邮件中?或者 写入文件?或许多其他 东西..你的过滤应该总是 对上下文敏感.

• 更重要的是，它鼓励 s草地使用GET，POST等，因为 没有迹象表明他们已经 被过滤.如果有人看到你 使用

• First, it assumes that your inputs will always be going into the database and into the database alone. What if something is going to be used in HTML output? Or in an email? Or written to a file? Or lots of other things.. your filtering should always be context-sensitive.

• More importantly, it encourages sloppy use of GET, POST, etc because there's no indication that they've been filtered. If someone sees you use

回显$ _POST ['name'];

echo $_POST['name'];

在页面上，他们怎么知道 被过滤了吗?甚至更糟的是... 你确定是吗?那个怎么样 其他应用程式?你知道的，你曾经是 刚交?新开发者会做什么?他们甚至不知道过滤很重要吗?

on a page, how would they know it's been filtered? Or even worse... are you sure it has been? What about that other app? You know, the one you were just handed? What would new developers do? Would they even know that filtering is important?

这篇关于什么时候不应该使用mysql_real_escape_string的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！