mysql_real_escape_string() 坏了吗? [英] Is mysql_real_escape_string() broken?

问题描述

有些人认为 mysql_real_escape_string() 有一些缺陷，即使正确使用也无法保护您的查询.
带来一些僵化文章作为证据.

Some people believe that mysql_real_escape_string() has some flaws and cannot protect your query even when properly used.
Bringing some fossilized articles as a proof.

那么，问题是:mysql[i]_real escape_string() 是完全不能接受的吗?
或者是否仍然可以使用此函数来创建您自己的准备语句?

So, the question is: is mysql[i]_real escape_string() totally unacceptable?
Or is it's still possible to use this function to create your own kind of prepared statements?

请提供验证码.

推荐答案

来自 MySQL的C API函数mysql_real_escape_string描述:

如果你需要改变连接的字符集，你应该使用mysql_set_character_set() 函数，而不是执行 SET NAMES(或 SET CHARACTER SET)语句.mysql_set_character_set() 的作用类似于 SET NAMES 但也会影响 mysql_real_escape_string()，SET NAMES 没有.

If you need to change the character set of the connection, you should use the mysql_set_character_set() function rather than executing a SET NAMES (or SET CHARACTER SET) statement. mysql_set_character_set() works like SET NAMES but also affects the character set used by mysql_real_escape_string(), which SET NAMES does not.

所以不要使用 SET NAMES/SET CHARACTER SET 而是 PHP 的 mysql_set_charset 更改编码，因为它与 MySQL 的 mysql_set_character_set 对应(参见 源代码/ext/mysql/php_mysql.c).

So don’t use SET NAMES/SET CHARACTER SET but PHP’s mysql_set_charset to change the encoding as that is the counterpart to MySQL’s mysql_set_character_set (see source code of /ext/mysql/php_mysql.c).

这篇关于mysql_real_escape_string() 坏了吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！