mysql_escape_string VS mysql_real_escape_string [英] mysql_escape_string VS mysql_real_escape_string
问题描述
所以这是我们都应该知道的,当我第一次看到它时,我的脑海里玩了。
So this is something we all should know about, and played on my mind when I first seen it..
我知道 mysql_escape_string
已从5.3中弃用,但是在 mysql_real_escape_string
中的实际区别是什么。
I know that mysql_escape_string
is deprecated from 5.3 but what was the actual difference in mysql_real_escape_string
.
以下是 mysql_real_escape_string
与 mysql_escape_string
完全相同,除了 mysql_real_escape_string
为mysql资源提供了第二个参数。
What I thought was that mysql_real_escape_string
is the exact same as mysql_escape_string
apart from mysql_real_escape_string
takes a second argument for the mysql resource.
所以我认为很好,因为没有必要处理字符串的方式有一些区别对于2个功能。
so then I thought well surly there must be some difference as to how strings are handled because there would not be a need for 2 functions.
所以我认为这种区别完全归结于语言环境和字符编码。
So then I thought that the difference was purely down to locale and character encodings. ?
任何人都可以为我清除这个问题?
can anyone clear this up for me ?
推荐答案
不同的是, mysql_escape_string
只将该字符串视为原始字节,并将其转换为相应适当的地方。
The difference is that mysql_escape_string
just treats the string as raw bytes, and adds escaping where it believes it's appropriate.
<另一方面,code> mysql_real_escape_string 使用关于用于MySQL连接的字符集的信息。这意味着字符串在正确处理多字节字符时被转义;也就是说,它不会在字符的中间插入转义的字符。这就是为什么你需要连接 mysql_real_escape_string
;有必要了解字符串的处理方式。
mysql_real_escape_string
, on the other hand, uses the information about the character set used for the MySQL connection. This means the string is escaped while treating multi-byte characters properly; i.e., it won't insert escaping characters in the middle of a character. This is why you need a connection for mysql_real_escape_string
; it's necessary in order to know how the string should be treated.
但是,不用转义,更好的是使用MySQLi库中的参数化查询;以前在逃避例程中已经出现了错误,有可能再次出现。查询的参数化要困难得多,所以不太可能会遇到MySQL错误。
However, instead of escaping, it's a better idea to use parameterized queries from the MySQLi library; there has previously been bugs in the escaping routine, and it's possible that some could appear again. Parameterizing the query is much, much harder to mess up, so it's less likely that you can get compromised by a MySQL bug.
这篇关于mysql_escape_string VS mysql_real_escape_string的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!