PHP mysql_real_escape_string()和%字符 [英] PHP mysql_real_escape_string() and % character
问题描述
mysql_real_escape_string()
对%
(百分比)字符有什么作用,它代表多少安全风险(以及如何解决)?
What does mysql_real_escape_string()
do with the %
(percent) character and how much of a security risk does it represent (and how to fix it)?
推荐答案
来自 mysql_real_escape_string()
文档:
注意:mysql_real_escape_string()不能转义%和_.这些是 如果与MySQL中的通配符结合使用 喜欢,允许或撤消.
Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.
就安全性而言,除非您正在运行LIKE
,GRANT
或REVOKE
,否则这不是问题. LIKE
可能是唯一的 real 问题.在这种情况下,您将如何逃避它取决于您.
As far as security, unless you are running a LIKE
, GRANT
, or REVOKE
, it's a non-issue. LIKE
is probably the only real concern. It's up to you how you would want to escape it in these situations.
一个简单的例子:
"... LIKE '%" . mysql_real_escape_string($string) . "%' ..."
这篇关于PHP mysql_real_escape_string()和%字符的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!