Escaping a string means to reduce ambiguity in quotes (and other characters) used in that string. For instance, when you're defining a string, you typically surround it in either double quotes or single quotes:

转义字符串意味着减少该字符串中使用的引号（和其他字符）中的歧义。例如，当你定义一个字符串时，你通常用双引号或单引号将它括起来：

"Hello World."

But what if my string had double quotes within it?

但是如果我的字符串中有双引号呢？

"Hello "World.""

Now I have ambiguity - the interpreter doesn't know where my string ends. If I want to keep my double quotes, I have a couple options. I could use single quotes around my string:

现在我有歧义 - 解释器不知道我的字符串在哪里结束。如果我想保留双引号，我有几个选择。我可以在字符串周围使用单引号：

'Hello "World."'

Or I can escape my quotes:

或者我可以逃避我的报价：

"Hello \"World.\""

Any quote that is preceded by a slash is escaped, and understood to be part of the value of the string.

任何以斜杠开头的引号都会被转义，并被理解为字符串值的一部分。

When it comes to queries, MySQL has certain keywords it watches for that we cannot use in our queries without causing some confusion. Suppose we had a table of values where a column was named "Select", and we wanted to select that:

当涉及到查询时，MySQL 有一些它会监视的关键字，我们不能在查询中使用这些关键字而不会引起一些混乱。假设我们有一个值表，其中一列名为“Select”，我们想选择它：

SELECT select FROM myTable

We've now introduced some ambiguity into our query. Within our query, we can reduce that ambiguity by using back-ticks:

我们现在已经在我们的查询中引入了一些歧义。在我们的查询中，我们可以通过使用反引号来减少这种歧义：

SELECT `select` FROM myTable

This removes the confusion we've introduced by using poor judgment in selecting field names.

这消除了我们在选择字段名称时使用错误判断而引入的混淆。

A lot of this can be handled for you by simply passing your values through mysql_real_escape_string(). In the example below you can see that we're passing user-submitted data through this function to ensure it won't cause any problems for our query:

只需将您的值通过mysql_real_escape_string(). 在下面的示例中，您可以看到我们通过此函数传递用户提交的数据，以确保它不会对我们的查询造成任何问题：

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));

Other methods exist for escaping strings, such as add_slashes, addcslashes, quotemeta, and more, though you'll find that when the goal is to run a safe query, by and large developers prefer mysql_real_escape_stringor pg_escape_string(in the context of PostgreSQL.

其他方法转义字符串，如存在add_slashes，addcslashes，quotemeta，和更多的，但你会发现，当我们的目标是运行安全的查询，由大开发商喜欢mysql_real_escape_string或pg_escape_string（在PostgreSQL中的上下文。

Some characters have special meaning to the SQL database you are using. When these characters are being used in a query they can cause unexpected and/or unintended behavior including allowing an attacker to compromise your database. To prevent these characters from affecting a query in this way they need to be escaped, or to say it a different way, the database needs to be told to not treat them as special characters in this query.

某些字符对您使用的 SQL 数据库具有特殊意义。在查询中使用这些字符时，它们可能会导致意外和/或意外行为，包括允许攻击者破坏您的数据库。为了防止这些字符以这种方式影响查询，它们需要被转义，或者换种说法，需要告诉数据库不要将它们视为此查询中的特殊字符。

In the case of mysql_real_escape_string()it escapes \x00, \n, \r,\, ', "and \x1aas these, when not escaped, can cause the previously mentioned problems which includes SQL injections with a MySQL database.

在mysql_real_escape_string()它转义的情况下\x00，\n, \r, \, ',"和\x1a因为这些，当没有转义时，可能会导致前面提到的问题，包括对 MySQL 数据库的 SQL 注入。