何时使用mysql_real_escape_string() [英] When to use mysql_real_escape_string()
问题描述
何时才是使用mysql_real_escape_string的正确时间?
When is the correct time to use mysql_real_escape_string?
当我使用isset(mysql_escape_string($ _ GET ['param'])),
Should I be using it when I use isset(mysql_escape_string($_GET['param'])),
当我使用$ foo = mysql_real_escape_string($ _ GET ['bar'])时应该使用它吗?
Should I be using it when I use $foo = mysql_real_escape_string($_GET['bar']);
谢谢
推荐答案
在构建带有字符串文字的SQL查询时,需要调用此函数。
您应该
You need to call this function when building SQL queries with string literals.
You should not call it anywhere else.
调用此函数的目的是防止您执行SQL,例如 SELECT * FROM Students WHERE Name ='Robert '); DROP TABLE Students;-'。
mysql_real_escape_string
将跳过'
字符,以便将邪恶字符串完全视为字符串。
The point of calling this function is to prevent you from executing SQL like SELECT * FROM Students WHERE Name = 'Robert'); DROP TABLE Students;--'
.
mysql_real_escape_string
will escape the '
character so that the evil string is treated entirely as a string.
这篇关于何时使用mysql_real_escape_string()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!