mysql_real_escape_string() 坏了吗? [英] Is mysql_real_escape_string() broken?
问题描述
有些人认为 mysql_real_escape_string()
有一些缺陷,即使正确使用也无法保护您的查询.
带来一些僵化文章作为证据.
Some people believe that mysql_real_escape_string()
has some flaws and cannot protect your query even when properly used.
Bringing some fossilized articles as a proof.
那么,问题是:mysql[i]_real escape_string() 是完全不能接受的吗?
或者是否仍然可以使用此函数来创建您自己的准备语句?
So, the question is: is mysql[i]_real escape_string() totally unacceptable?
Or is it's still possible to use this function to create your own kind of prepared statements?
请提供验证码.
推荐答案
来自 MySQL的C API函数mysql_real_escape_string
描述:
如果你需要改变连接的字符集,你应该使用mysql_set_character_set()
函数,而不是执行 SET NAMES
(或 SET CHARACTER SET
)语句.mysql_set_character_set()
的作用类似于 SET NAMES
但也会影响 mysql_real_escape_string()
,SET NAMES
没有.
If you need to change the character set of the connection, you should use the
mysql_set_character_set()
function rather than executing aSET NAMES
(orSET CHARACTER SET
) statement.mysql_set_character_set()
works likeSET NAMES
but also affects the character set used bymysql_real_escape_string()
, whichSET NAMES
does not.
所以不要使用 SET NAMES
/SET CHARACTER SET
而是 PHP 的 mysql_set_charset
更改编码,因为它与 MySQL 的 mysql_set_character_set
对应(参见 源代码/ext/mysql/php_mysql.c).
So don’t use SET NAMES
/SET CHARACTER SET
but PHP’s mysql_set_charset
to change the encoding as that is the counterpart to MySQL’s mysql_set_character_set
(see source code of /ext/mysql/php_mysql.c).
这篇关于mysql_real_escape_string() 坏了吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!