逃避字符串意味着什么? [英] What does it mean to escape a string?
问题描述
我正在阅读 $ _SESSION ['username']需要在进入SQL查询之前进行转义?,它表示您需要转义您传递给sql查询的所有字符串,而不管其起源。现在我知道这样的东西真的很基础。 Google搜索结果超过20万。 Stackoverflow单独有20页的结果,但没有人实际解释什么逃避一个字符串是或如何做到这一点。只是假设你可以帮我吗?我想学习,因为我一直在使用PHP制作一个网络应用程序。
I was reading Does $_SESSION['username'] need to be escaped before getting into an SQL query? and it said "You need to escape every string you pass to the sql query, regardless of its origin". Now I know something like this is really basic. A Google search turned up over 20, 000 results. Stackoverflow alone had 20 pages of results but no one actually explains what escaping a string is or how to do it. It is just assumed. Can you help me? I want to learn because as always I am making a web app in PHP.
我看过:
插入逃脱角色, Java中的所有转义字符是什么?,
无法使用addcslashes()转义字符串 ,
转义字符,
mysql_real_escape_string()真的做了什么?,
如何从php中的字符串中避免双引号?,
MySQL_real_escape_string不添加斜杠?,
从字符串中删除转义序列在php 我可以继续,但我相信你得到的点。这不是懒惰。
I have looked at: Inserting Escape Characters, What are all the escape characters in Java?, Cant escape a string with addcslashes(), Escape character, what does mysql_real_escape_string() really do?, How can i escape double quotes from a string in php?, MySQL_real_escape_string not adding slashes?, remove escape sequences from string in php I could go on but I am sure you get the point. This is not laziness.
推荐答案
转义字符串意味着减少字符串中使用的引号(和其他字符)的歧义。例如,当您定义一个字符串时,您通常使用双引号或单引号括起来:
Escaping a string means to reduce ambiguity in quotes (and other characters) used in that string. For instance, when you're defining a string, you typically surround it in either double quotes or single quotes:
"Hello World."
但是如果我的字符串中有双引号呢?
But what if my string had double quotes within it?
"Hello "World.""
现在我有歧义 - 解释器不知道我的字符串结束在哪里。如果我想保留双引号,我有几个选择。我可以在我的字符串周围使用单引号:
Now I have ambiguity - the interpreter doesn't know where my string ends. If I want to keep my double quotes, I have a couple options. I could use single quotes around my string:
'Hello "World."'
或者我可以逃避我的报价:
Or I can escape my quotes:
"Hello \"World.\""
之前是斜线的任何引号都是 escaped ,并被理解为字符串值的一部分。
Any quote that is preceded by a slash is escaped, and understood to be part of the value of the string.
当涉及到查询时,MySQL有一些关键字,不能在我们的查询中使用,而不会引起一些混乱。假设我们有一个值列表,其中列被命名为选择,我们想选择:
When it comes to queries, MySQL has certain keywords it watches for that we cannot use in our queries without causing some confusion. Suppose we had a table of values where a column was named "Select", and we wanted to select that:
SELECT select FROM myTable
我们现在在我们的查询中引入了一些歧义。在我们的查询中,我们可以通过使用back-ticks来减少歧义:
We've now introduced some ambiguity into our query. Within our query, we can reduce that ambiguity by using back-ticks:
SELECT `select` FROM myTable
这样可以消除我们在选择字段名称时使用不良判断引入的混淆。
This removes the confusion we've introduced by using poor judgment in selecting field names.
很多这可以通过简单地传递你的值通过 mysql_real_escape_string()
。在下面的示例中,您可以看到我们通过此函数传递用户提交的数据,以确保不会对我们的查询造成任何问题:
A lot of this can be handled for you by simply passing your values through mysql_real_escape_string()
. In the example below you can see that we're passing user-submitted data through this function to ensure it won't cause any problems for our query:
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
存在用于转义字符串的其他方法,例如 add_slashes
, addcslashes
, quotemeta
等等,虽然你会发现,当目标是运行一个安全查询,大部分开发者喜欢 mysql_real_escape_string
或 pg_escape_string
(在PostgreSQL的上下文中。
Other methods exist for escaping strings, such as add_slashes
, addcslashes
, quotemeta
, and more, though you'll find that when the goal is to run a safe query, by and large developers prefer mysql_real_escape_string
or pg_escape_string
(in the context of PostgreSQL.
这篇关于逃避字符串意味着什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!