mysql_real_escape 多次
我只是想知道如果我多次 mysql_real_escape 数据是否会有所不同?
因此,如果我在网站的一部分中转义数据,然后在代码的另一部分中再次转义。这会是一个问题吗?或者有所作为?
I was just wondering whether it makes a difference if I mysql_real_escape data more than once?
So if I escaped data in one part of my website, and then again in another part of code. Would this be a problem? Or make a difference?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
mysql_real_escape 的正确位置是就在您发送查询以保存数据之前。
脚本中其他任何地方的所有其他实例都是主要的设计缺陷。
当然,最好应该在自己的数据库类中。
The right place for mysql_real_escape is right before you send the query to save the data.
Every other instance anywhere else in the script is a major design flaw.
That should preferably in an own db-class of course.
是的。你会得到额外不必要的反斜杠。
Yes. You'd get extra unnecessary backslashes.
是的,这会是一个问题。
例如:
如果a是“Joe's House”,则第一次调用将产生“Joe's House”,第二次调用将产生“Joe\\\'s House”,并将反斜杠保存在数据库中。
这类似于当 Web 服务器启用了魔术引号并且您在客户端输入上使用 mysql_real_escape_string 时出现的问题。这是通过以下方法解决的:(
对于后一个示例,请参阅 http://www.php.net/get_magic_quotes_gpc )
[我编辑了答案以反映下面评论中的更正]
Yes, it would be a problem.
For example:
if a is "Joe's House", the first call will produce "Joe\'s House" and the second one will produce "Joe\\\'s House", saving the backslash in the database.
This is similar to the problem that arises when the web server has the magic quotes enabled and you use mysql_real_escape_string on input from the client. This is solved by:
(For the latter example see http://www.php.net/get_magic_quotes_gpc )
[I edited the answer to reflect corrections in the comments below]
是的,这将是一个过度擒纵的问题。这对于任何转义都是一样的,无论它到底做了什么。例如,如果您要按照通用规则转义字符串中的双引号:
在一个转义变为之后,
在两个转义变为之后,
依此类推。 “擒纵机构”的数量必须与“擒纵机构”的数量完全匹配。您可能会在某些网站上看到此问题的表现,这些网站过度转义了文本字段中的某些字符,因此简单的撇号在输出时变成了
\'。Yes, it will be an over-escapement problem. This is the same for any escaping, regardless of what exactly it does. For instance, if you'd escape double quotes in string following common rule:
after one escaping becomes
after two becomes
and so on. Number of "unescapements" must exactly match number of "escapements". You could see manifestations of this problem on some sites that over-escape some characters in text fields, so that simple apostrophe becomes
\'on output.无法区分转义字符串和未转义字符串,因为看起来像转义字符串的东西是预期的未转义字符串。因此,再次尝试转义就会转义 - 并且转义一次的文本将是 MySQL 读取的内容。
因此,你绝不能多次逃跑。
但是,更好的解决方案是使用参数化查询,因为这样您就根本不需要转义。
It is not possible to distinguish between an escaped and an unescaped string, because the thing which looks like an escaped string was the intended unescaped string. Therefore, trying to escape again, would escape the escaping - and the escaped-once text will be what MySQL reads.
Therefore, you should never escape more than once.
However, a better solution is to use paramterized queries, since then you don't need to escape at all.
当然,数据会被双重转义。
您根本不应该使用 mysql_real_escape() ,通过 进行参数化查询mysqli 已经存在足够长的时间了。
Of course, data would be double-escaped.
You should not use
mysql_real_escape()at all, parameterized queries via mysqli have been sticking around long enough.是的,这会有所不同:
Yes, it makes a difference: