php 我应该使用 mysqli_real_escape string() 还是 mysql_real_escape_string() 来处理表单数据?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14135932/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Should I use mysqli_real_escape string() or mysql_real_escape_string() for form data?
提问by user1629766
Possible Duplicate:
mysql_escape_string VS mysql_real_escape_string
I need to get company_name (given by user through a form) entered into my mysql database. When I use
我需要将 company_name (由用户通过表单给出)输入到我的 mysql 数据库中。当我使用
$company = mysqli_real_escape_string($_POST['company_name'])
I get an error
我收到一个错误
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /opt/lampp/htdocs/Abacus-Version-2/admin/Company/insert_company.php on line 58
But everything seems to fine while using
但是在使用时一切似乎都很好
$company = mysql_real_escape_string($_POST['company_name'])
What can I do in such cases?
在这种情况下我能做什么?
回答by Anshu
The one to use depends on whether you are using the MySQLiextension or the MySQLextension
使用哪个取决于您使用的是MySQLi扩展程序还是MySQL扩展程序
// procedural mysqli
$db = new mysqli;
$sql = sprintf("INSERT INTO table (id,name,email,comment) VALUES (NULL,'%s','%s','%s')",
mysqli_real_escape_string($db,$name),
mysqli_real_escape_string($db,$email),
mysqli_real_escape_string($db,$comment) );
// mysql
$conn = mysql_connect();
$sql = sprintf("INSERT INTO table (id,name,email,comment) VALUES (NULL,'%s','%s','%s')",
mysql_real_escape_string($name,$conn),
mysql_real_escape_string($email,$conn),
mysql_real_escape_string($comment,$conn) );
回答by Luke
mysql_real_escape_string()is designed to make data safe for insertion into the database without errors. (IE such as escaping slashes so that it doesn't break your code).
mysql_real_escape_string()旨在使数据安全地插入数据库而不会出错。(IE 等转义斜杠,这样它就不会破坏你的代码)。
You should use mysql_or mysqli_functions to match your connection string. "mysqli" is the object oriented implementation of the mysql set of functions, so the functions are called in the object oriented style. "mysql" is procedural. I'd suggest changing over to "mysqli" because I believe there has been talk of depreciating the "mysql" functions in future versions.
您应该使用mysql_或mysqli_函数来匹配您的连接字符串。“mysqli”是mysql函数集的面向对象实现,所以函数以面向对象的风格被调用。“mysql”是程序性的。我建议改用“mysqli”,因为我相信有人讨论过在未来版本中贬低“mysql”功能。
If you connection string is:
如果您的连接字符串是:
mysql_connect()
then use:
然后使用:
mysql_real_escape_string($_POST[''])
If it is:
如果是:
$mysqli = new mysqli();
then use:
然后使用:
$mysqli->real_escape_string($_POST[''])
回答by Your Common Sense
Definitely NO
绝对不
Both functions has nothing to do with form data.
They have to be used to format string literalsinserted into SQL query only.
This function belongs to the SQL query, not to whatever form. And even to very limited part of the query - a string literal.
这两个函数都与表单数据无关。
他们必须来格式化字符串文本插入SQL查询只。
这个函数属于 SQL 查询,不属于任何形式。甚至查询的非常有限的部分 - 字符串文字。
So, every time you're going to insert into query a string literal (frankly, a portion of data enclosed in quotes), this function ought to be used unconditionally.
For the any other case it shouldn't be used at all.
因此,每次您要在查询中插入字符串文字(坦率地说,是用引号括起来的一部分数据)时,都应该无条件地使用该函数。
对于任何其他情况,根本不应该使用它。
As for the error you're getting - it's pretty self-explanatory: this function expects 2 parameters, not one. Just pass proper parameters as stated in the manual page for this function, and you'll be okay
至于你得到的错误——这是不言自明的:这个函数需要 2 个参数,而不是一个。只需按照此函数的手册页中所述传递适当的参数,就可以了
回答by Oldskool
Since all the MySQLextension is being deprecated, you'd best use the MySQLimethods instead, it's more future proof.
由于所有MySQL扩展都已弃用,您最好改用这些MySQLi方法,它更具未来证明。
回答by Perry
It should be this if you use Procedural style:
如果你使用 Procedural 风格应该是这样的:
$city = mysqli_real_escape_string($link, $city);
where link is the connection
其中 link 是连接
or this when you use Object oriented style:
或者当你使用面向对象的风格时:
$city = $mysqli->real_escape_string($city);
Check out the php manual: http://php.net/manual/en/mysqli.real-escape-string.php
查看php手册:http: //php.net/manual/en/mysqli.real-escape-string.php
回答by Stefan
Both variants are fine* (Please look at my Update).
两种变体都很好*(请查看我的更新)。
When you are using a mysql_connectthen you should stick to mysql_real_escape_string()and also pass the connection handle.
当您使用 a mysql_connectthen 时,您应该坚持mysql_real_escape_string()并传递连接句柄。
When you are using a mysqli_connectthen you should stick to mysqli_real_escape_string().
当您使用 amysqli_connect那么您应该坚持使用mysqli_real_escape_string().
UPDATE
更新
As pointed out by Jeffrey in the comments, using mysql_functions is NOTfine. I agree to that. I was just pointing out, that you need to use the function that is used by the MySQL-extension you are using.
正如杰弗里在评论中指出的那样,使用mysql_函数不好。我同意这一点。我只是指出,您需要使用您正在使用的 MySQL 扩展所使用的函数。
It came to me, that it was not the question, which MySQL-extension to use, but which function for escaping data.
我想到,问题不是要使用哪个 MySQL 扩展,而是哪个函数用于转义数据。
If you ask me:
如果你问我:
- Use
mysqliorPDO, becausemysqlis not recommendable and deprecated. - Pass the Connection Handle to the escape-function or better
- use prepared Statements(PDO-Style)
