What you quote is probably from the doc, but as far as I know it's not necessarily true.

您引用的内容可能来自文档，但据我所知，这不一定是真的。

addslashesadds slashes to characters that are commonly disturbing. mysql_real_escape_stringescapes whatever MySQL needs to be escaped. This may be more or less characters than what addslashestakes care of.

addslashes为通常令人不安的字符添加斜线。mysql_real_escape_string转义 MySQL 需要转义的任何内容。这可能比addslashes处理的字符多或少。

Also, mysql_real_escape_stringwill not necessarily add slashes to escape. While I think it works if you do it that way, recent versions of MySQL escape quotes by putting two of them together instead of by putting a slash before it.

另外，mysql_real_escape_string不一定会加斜杠来转义。虽然我认为如果你这样做的话它会起作用，但最近版本的 MySQL 通过将它们中的两个放在一起而不是在它前面放一个斜杠来转义引号。

I believe you should always use your data provider's escape function instead of addslashes, because addslashesmay either do too much or not enough work for the purpose you use it. On the other hand, mysql_real_escape_stringknowswhat to do to prepare a string for embedding it in a query. Even if the specs change about how to escape stuff and suddenly it's not backslashes that you should use anymore, your code will still work because mysql_real_escape_stringwill be aware of it.

我相信您应该始终使用数据提供者的转义函数而不是addslashes，因为addslashes可能会为您使用它的目的做太多或不够的工作。另一方面，mysql_real_escape_string知道如何准备将字符串嵌入到查询中。即使关于如何转义内容的规范发生了变化，并且突然间您不再应该使用反斜杠，您的代码仍然可以工作，因为您mysql_real_escape_string会意识到这一点。

mysql_real_escape_string() also takes into account the character set used by the current connection to the database.

mysql_real_escape_string() 还考虑了当前连接到数据库所使用的字符集。

The PHP function mysql_real_escape_string() uses the MySQL C API function of the same name: http://dev.mysql.com/doc/refman/5.1/en/mysql-real-escape-string.html

PHP函数mysql_real_escape_string()使用了同名的MySQL C API函数：http: //dev.mysql.com/doc/refman/5.1/en/mysql-real-escape-string.html

Also read addslashes() Versus mysql_real_escape_string()by noted PHP security expert Chris Shiflett, for a demonstration that you can get SQL injection exploits even if you use addslashes().

另请阅读著名PHP 安全专家 Chris Shiflett 撰写的addlashes() 与 mysql_real_escape_string()一文，以演示即使您使用 addlashes() 也可以获得 SQL 注入漏洞。

Other folks recommend using query parameters, and then you don't have to do any escaping of dynamic values. I recommend this too, but in PHP you'd have to switch to PDO or ext/mysqli, because the plain ext/mysql API doesn't support query parameters.

其他人建议使用查询参数，然后您不必对动态值进行任何转义。我也推荐这个，但在 PHP 中你必须切换到 PDO 或 ext/mysqli，因为普通的 ext/mysql API 不支持查询参数。

Also there may be some corner cases where you can't use query parameters for a dynamic string value, like your search pattern in a fulltext search.

此外，在某些极端情况下，您无法将查询参数用于动态字符串值，例如全文搜索中的搜索模式。

There was a bunch of history with mysql_escape_stringand mysql_real_escape_string. They were both attempts at providing a "general" escaping mechanism that would minimize the probability of sql injection attacks.

有一帮的历史mysql_escape_string和mysql_real_escape_string。他们都试图提供一种“通用”的转义机制，以最大限度地减少 sql 注入攻击的可能性。

mysql_real_escape_stringand addslashesare ok, if they're what you really need -- but they probably aren't.

mysql_real_escape_string和addslashes都行，如果他们是你真正需要的东西-但他们可能都没有。

As @afrazier says, you should use prepared statements

正如@afrazier 所说，你应该使用准备好的语句

Instead of prepare quer"ies using PDO you can use this while your application uses MySQLi (beware! "i" at and of Mysql")

您可以在您的应用程序使用 MySQLi 时使用它，而不是使用 PDO 准备查询（注意！Mysql 中的“i”）

$nick = $connect->real_escape_string($nick);
$nick= addcslashes($nick, '%_');

$pass = $connect->real_escape_string($pass);
$pass = addcslashes($pass, '%_');

Ignore both and just use parameterized queries. Unless, of course, you like injection attacks.

忽略两者，只使用参数化查询。当然，除非你喜欢注入攻击。