如果绑定参数,是否必须使用 mysql_real_escape_string?

发布于 2024-08-22 03:21:40 字数 393 浏览 10 评论 0原文

我有以下代码:

function dbPublish($status)
{
 global $dbcon, $dbtable;

 if(isset($_GET['itemId']))
 {
  $sqlQuery = 'UPDATE ' . $dbtable . ' SET active = ? WHERE id = ?';
  $stmt = $dbcon->prepare($sqlQuery);
  $stmt->bind_param('ii', $status, $_GET['itemId']);
  $stmt->execute();
  $stmt->close();
 }
}

在这种情况下我需要 mysql_real_escape_string 还是我可以?

I have the following code:

function dbPublish($status)
{
 global $dbcon, $dbtable;

 if(isset($_GET['itemId']))
 {
  $sqlQuery = 'UPDATE ' . $dbtable . ' SET active = ? WHERE id = ?';
  $stmt = $dbcon->prepare($sqlQuery);
  $stmt->bind_param('ii', $status, $_GET['itemId']);
  $stmt->execute();
  $stmt->close();
 }
}

Do I need to mysql_real_escape_string in this case or am i okay?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

多孤肩上扛 2024-08-29 03:21:40

不,当您使用准备好的语句时,您不必自己转义值(即不,您不需要调用 mysqli_real_escape_string):数据库引擎会做那本身。

(实际上,如果您调用 mysql_real_escape_string 并使用绑定参数,您的字符串将被转义两次——这不太好:您最终会得到到处都是转义字符...)

作为旁注:您的值作为整数传递(如'ii'所示),因此您不必调用mysql_real_escape_string ,即使您没有使用准备好的语句:正如其名称所示,该函数用于转义...字符串。

对于整数,我通常只使用 intval 来确保我将数据注入到 SQL 中查询实际上是整数。

(但是,当您使用准备好的查询时,您不必自己进行这种转义)

No, you don't have to escape value yourself (i.e. no you don't need to call mysqli_real_escape_string), when you are using prepared statements : the DB engine will do that itself.

(Actually, if you were calling mysql_real_escape_string and using bound parameters, your strings would get escaped twice -- which would not be great : you'd end up with escaping characters everywhere...)

As a sidenote : your values are passed as integers (as indicated by the 'ii'), so you wouldn't have to call mysql_real_escape_string, even if you were not using prepared statements : as its name indicates, this function is used to escape... strings.

For integers, I generally just use intval to make sure the data I inject into my SQL queries really are integers.

(But, as you are using prepared queries, once again, you don't have to do that kind of escaping yourself)

夏夜暖风 2024-08-29 03:21:40

不,你一定不能。将两者结合起来会产生
在数据中显示的可见转义字符中。

No, you must not. Combining the two would result
in visible escape characters showing up in your data.

滥情哥ㄟ 2024-08-29 03:21:40
function dbPublish($status)    
{    
 global $dbcon, $dbtable;    

 if(isset($_GET['itemId']))    
 {    
  $sqlQuery = 'UPDATE ' . $dbtable . ' SET active = ? WHERE id = ?';    
  $stmt = $dbcon->prepare($sqlQuery);    
  $stmt->bind_param('ii', $status, $_GET['itemId']);    
  $stmt->execute();    
  $stmt->close();    
 }    
}   
function dbPublish($status)    
{    
 global $dbcon, $dbtable;    

 if(isset($_GET['itemId']))    
 {    
  $sqlQuery = 'UPDATE ' . $dbtable . ' SET active = ? WHERE id = ?';    
  $stmt = $dbcon->prepare($sqlQuery);    
  $stmt->bind_param('ii', $status, $_GET['itemId']);    
  $stmt->execute();    
  $stmt->close();    
 }    
}   
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文