php mysql_escape_string VS mysql_real_escape_string
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3665572/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
mysql_escape_string VS mysql_real_escape_string
提问by RobertPitt
So this is something we all should know about, and played on my mind when I first seen it..
所以这是我们都应该知道的事情,并且在我第一次看到它时就在我的脑海中播放。
I know that mysql_escape_stringis deprecated from 5.3 but what was the actual difference in mysql_real_escape_string.
我知道这mysql_escape_string已从 5.3 开始弃用,但mysql_real_escape_string.
What I thought was that mysql_real_escape_stringis the exact same as mysql_escape_stringapart from mysql_real_escape_stringtakes a second argument for the mysql resource.
我认为这mysql_real_escape_string与mysql_escape_string除了mysql_real_escape_string为 mysql 资源采用第二个参数完全相同。
so then I thought well surly there must be some difference as to how strings are handled because there would not be a need for 2 functions.
所以然后我认为很好,关于如何处理字符串肯定有一些不同,因为不需要 2 个函数。
So then I thought that the difference was purely down to locale and character encodings. ?
然后我认为差异纯粹是由于语言环境和字符编码。?
can anyone clear this up for me ?
谁能帮我解决这个问题?
回答by Michael Madsen
The difference is that mysql_escape_stringjust treats the string as raw bytes, and adds escaping where it believes it's appropriate.
不同之处在于mysql_escape_string仅将字符串视为原始字节,并在它认为合适的地方添加转义。
mysql_real_escape_string, on the other hand, uses the information about the character set used for the MySQL connection. This means the string is escaped while treating multi-byte characters properly; i.e., it won't insert escaping characters in the middle of a character. This is why you need a connection for mysql_real_escape_string; it's necessary in order to know how the string should be treated.
mysql_real_escape_string,另一方面,使用有关用于 MySQL 连接的字符集的信息。这意味着在正确处理多字节字符时字符串被转义;即,它不会在字符中间插入转义字符。这就是为什么你需要一个连接mysql_real_escape_string;为了知道应该如何处理字符串,这是必要的。
However, instead of escaping, it's a better idea to use parameterized queries from the MySQLi library; there has previously been bugs in the escaping routine, and it's possible that some could appear again. Parameterizing the query is much, much harder to mess up, so it's less likely that you can get compromised by a MySQL bug.
然而,与其转义,不如使用 MySQLi 库中的参数化查询;之前在转义例程中存在错误,并且可能会再次出现某些错误。参数化查询很难搞砸,因此您不太可能受到 MySQL 错误的影响。
回答by deceze
Well... sort of, yes. It takes the character set of the MySQL connection into account.
嗯......有点,是的。它考虑了 MySQL 连接的字符集。
http://php.net/mysql_escape_string
http://php.net/mysql_escape_string
This function is identical to
mysql_real_escape_string()except thatmysql_real_escape_string()takes a connection handler and escapes the string according to the current character set.mysql_escape_string()does not take a connection argument and does not respect the current charset setting.
此函数与
mysql_real_escape_string()除了mysql_real_escape_string()采用连接处理程序并根据当前字符集转义字符串外相同。mysql_escape_string()不接受连接参数并且不遵守当前的字符集设置。
回答by Rocky Sharma
mysql_escape_stringis not deprecated from 5.3 but, for 4.3.0 and above.
So any One using PHP version above/or 4.3.0 should use mysql_real_escape_string.
mysql_escape_string未从 5.3 开始弃用,但适用于 4.3.0 及更高版本。所以任何使用 PHP 版本以上/或 4.3.0 的人都应该使用mysql_real_escape_string.
if using php < 4.3.0, than make your magic_quotes_gpc activefrom php.ini, though it is recommended to update, but if your code will have problem than make sure you use, magic_quotes_gpcand addslashfunction rather than mysql_escape_string.
如果使用php < 4.3.0,不是让你magic_quotes_gpc active在php.ini中的,但建议进行更新,但如果你的代码会比化妆问题,一定要使用,magic_quotes_gpc和addslash函数,而不是mysql_escape_string。
回答by Jeff_Alieffson
now both of these functions are deprecated in
现在这两个功能都已弃用
PHP 4 >= 4.3.0 and PHP 5. They recommend using
PDO_MySQLextension
PHP 4 >= 4.3.0 和 PHP 5。他们推荐使用
PDO_MySQL扩展
