PHP mysql_real_escape_string()和％字符 [英] PHP mysql_real_escape_string() and % character

问题描述

mysql_real_escape_string()对%(百分比)字符有什么作用，它代表多少安全风险(以及如何解决)?

What does mysql_real_escape_string() do with the % (percent) character and how much of a security risk does it represent (and how to fix it)?

推荐答案

来自 mysql_real_escape_string()文档:

注意:mysql_real_escape_string()不能转义％和_.这些是 如果与MySQL中的通配符结合使用 喜欢，允许或撤消.

Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.

就安全性而言，除非您正在运行LIKE，GRANT或REVOKE，否则这不是问题. LIKE可能是唯一的 real 问题.在这种情况下，您将如何逃避它取决于您.

As far as security, unless you are running a LIKE, GRANT, or REVOKE, it's a non-issue. LIKE is probably the only real concern. It's up to you how you would want to escape it in these situations.

一个简单的例子:

"... LIKE '%" . mysql_real_escape_string($string) . "%' ..."

这篇关于PHP mysql_real_escape_string()和％字符的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！