对字符串进行转义是什么意思? [英] What does it mean to escape a string?

问题描述

我正在阅读 是否 $_SESSION['username'] 在进入 SQL 查询之前需要转义吗? 并且它说您需要转义传递给 sql 查询的每个字符串，无论其来源如何".现在我知道这样的事情非常基本.谷歌搜索结果超过 20,000.仅 Stackoverflow 就有 20 页的结果，但没有人真正解释转义字符串是什么或如何做.这只是假设.你能帮助我吗?我想学习，因为我一直在用 PHP 制作一个网络应用程序.

I was reading Does $_SESSION['username'] need to be escaped before getting into an SQL query? and it said "You need to escape every string you pass to the sql query, regardless of its origin". Now I know something like this is really basic. A Google search turned up over 20, 000 results. Stackoverflow alone had 20 pages of results but no one actually explains what escaping a string is or how to do it. It is just assumed. Can you help me? I want to learn because as always I am making a web app in PHP.

我看过:插入转义字符、Java 中的所有转义字符是什么?,无法使用 addcslashes() 转义字符串，转义符，mysql_real_escape_string() 到底做了什么?,如何从字符串中转义双引号php?,MySQL_real_escape_string 不加斜线?,从 php 中的字符串中删除转义序列 我可以继续，但我是确定你明白了.这不是懒惰.

I have looked at: Inserting Escape Characters, What are all the escape characters in Java?, Cant escape a string with addcslashes(), Escape character, what does mysql_real_escape_string() really do?, How can i escape double quotes from a string in php?, MySQL_real_escape_string not adding slashes?, remove escape sequences from string in php I could go on but I am sure you get the point. This is not laziness.

推荐答案

对字符串进行转义意味着减少该字符串中使用的引号(和其他字符)中的歧义.例如，当你定义一个字符串时，你通常用双引号或单引号将它括起来:

Escaping a string means to reduce ambiguity in quotes (and other characters) used in that string. For instance, when you're defining a string, you typically surround it in either double quotes or single quotes:

"Hello World."

但是如果我的字符串中有双引号怎么办?

But what if my string had double quotes within it?

"Hello "World.""

现在我有歧义 - 解释器不知道我的字符串在哪里结束.如果我想保留双引号，我有几个选择.我可以在字符串周围使用单引号:

Now I have ambiguity - the interpreter doesn't know where my string ends. If I want to keep my double quotes, I have a couple options. I could use single quotes around my string:

'Hello "World."'

或者我可以转义我的引号:

Or I can escape my quotes:

"Hello \"World.\""

任何以斜杠开头的引号都被转义，并被理解为字符串值的一部分.

Any quote that is preceded by a slash is escaped, and understood to be part of the value of the string.

说到查询，MySQL 有一些它会监视的关键字，我们不能在查询中使用这些关键字，否则会引起一些混乱.假设我们有一个值表，其中一列名为Select"，我们想选择它:

When it comes to queries, MySQL has certain keywords it watches for that we cannot use in our queries without causing some confusion. Suppose we had a table of values where a column was named "Select", and we wanted to select that:

SELECT select FROM myTable

我们现在在查询中引入了一些歧义.在我们的查询中，我们可以通过使用反引号来减少这种歧义:

We've now introduced some ambiguity into our query. Within our query, we can reduce that ambiguity by using back-ticks:

SELECT `select` FROM myTable

这消除了我们在选择字段名称时使用错误判断而引入的混淆.

This removes the confusion we've introduced by using poor judgment in selecting field names.

通过简单地通过mysql_real_escape_string().在下面的示例中，您可以看到我们通过此函数传递用户提交的数据，以确保它不会对我们的查询造成任何问题:

A lot of this can be handled for you by simply passing your values through mysql_real_escape_string(). In the example below you can see that we're passing user-submitted data through this function to ensure it won't cause any problems for our query:

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));

还存在其他用于转义字符串的方法，例如 add_slashes、addcslashes、quotemeta 等，但您会发现当目标是运行安全查询，大体上开发人员更喜欢 mysql_real_escape_string 或 pg_escape_string(在 PostgreSQL 的上下文中.

Other methods exist for escaping strings, such as add_slashes, addcslashes, quotemeta, and more, though you'll find that when the goal is to run a safe query, by and large developers prefer mysql_real_escape_string or pg_escape_string (in the context of PostgreSQL.

这篇关于对字符串进行转义是什么意思?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！