对字符串进行转义是什么意思? [英] What does it mean to escape a string?
问题描述
我正在阅读 是否 $_SESSION['username'] 在进入 SQL 查询之前需要转义吗? 并且它说您需要转义传递给 sql 查询的每个字符串,无论其来源如何".现在我知道这样的事情非常基本.谷歌搜索结果超过 20,000.仅 Stackoverflow 就有 20 页的结果,但没有人真正解释转义字符串是什么或如何做.这只是假设.你能帮助我吗?我想学习,因为我一直在用 PHP 制作一个网络应用程序.
I was reading Does $_SESSION['username'] need to be escaped before getting into an SQL query? and it said "You need to escape every string you pass to the sql query, regardless of its origin". Now I know something like this is really basic. A Google search turned up over 20, 000 results. Stackoverflow alone had 20 pages of results but no one actually explains what escaping a string is or how to do it. It is just assumed. Can you help me? I want to learn because as always I am making a web app in PHP.
我看过:插入转义字符、Java 中的所有转义字符是什么?,无法使用 addcslashes() 转义字符串,转义符,mysql_real_escape_string() 到底做了什么?,如何从字符串中转义双引号php?,MySQL_real_escape_string 不加斜线?,从 php 中的字符串中删除转义序列 我可以继续,但我是确定你明白了.这不是懒惰.
I have looked at: Inserting Escape Characters, What are all the escape characters in Java?, Cant escape a string with addcslashes(), Escape character, what does mysql_real_escape_string() really do?, How can i escape double quotes from a string in php?, MySQL_real_escape_string not adding slashes?, remove escape sequences from string in php I could go on but I am sure you get the point. This is not laziness.
推荐答案
对字符串进行转义意味着减少该字符串中使用的引号(和其他字符)中的歧义.例如,当你定义一个字符串时,你通常用双引号或单引号将它括起来:
Escaping a string means to reduce ambiguity in quotes (and other characters) used in that string. For instance, when you're defining a string, you typically surround it in either double quotes or single quotes:
"Hello World."
但是如果我的字符串中有双引号怎么办?
But what if my string had double quotes within it?
"Hello "World.""
现在我有歧义 - 解释器不知道我的字符串在哪里结束.如果我想保留双引号,我有几个选择.我可以在字符串周围使用单引号:
Now I have ambiguity - the interpreter doesn't know where my string ends. If I want to keep my double quotes, I have a couple options. I could use single quotes around my string:
'Hello "World."'
或者我可以转义我的引号:
Or I can escape my quotes:
"Hello \"World.\""
任何以斜杠开头的引号都被转义,并被理解为字符串值的一部分.
Any quote that is preceded by a slash is escaped, and understood to be part of the value of the string.
说到查询,MySQL 有一些它会监视的关键字,我们不能在查询中使用这些关键字,否则会引起一些混乱.假设我们有一个值表,其中一列名为Select",我们想选择它:
When it comes to queries, MySQL has certain keywords it watches for that we cannot use in our queries without causing some confusion. Suppose we had a table of values where a column was named "Select", and we wanted to select that:
SELECT select FROM myTable
我们现在在查询中引入了一些歧义.在我们的查询中,我们可以通过使用反引号来减少这种歧义:
We've now introduced some ambiguity into our query. Within our query, we can reduce that ambiguity by using back-ticks:
SELECT `select` FROM myTable
这消除了我们在选择字段名称时使用错误判断而引入的混淆.
This removes the confusion we've introduced by using poor judgment in selecting field names.
通过简单地通过mysql_real_escape_string()
.在下面的示例中,您可以看到我们通过此函数传递用户提交的数据,以确保它不会对我们的查询造成任何问题:
A lot of this can be handled for you by simply passing your values through mysql_real_escape_string()
. In the example below you can see that we're passing user-submitted data through this function to ensure it won't cause any problems for our query:
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
还存在其他用于转义字符串的方法,例如 add_slashes
、addcslashes
、quotemeta
等,但您会发现当目标是运行安全查询,大体上开发人员更喜欢 mysql_real_escape_string
或 pg_escape_string
(在 PostgreSQL 的上下文中.
Other methods exist for escaping strings, such as add_slashes
, addcslashes
, quotemeta
, and more, though you'll find that when the goal is to run a safe query, by and large developers prefer mysql_real_escape_string
or pg_escape_string
(in the context of PostgreSQL.
这篇关于对字符串进行转义是什么意思?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!