如果复制数据,再次mysql_real_escape_string?
在将数据放入数据库之前,我通过 mysql_real_escape_string 传递它。
如果我想将相同的数据复制到另一个表中,在复制之前是否需要再次通过 mysql_real_escape_string 传递它?
我写了一个小脚本来测试这个问题,看起来答案是肯定的:
$db = new AQLDatabase();
$db->connect();
$title = "imran's color";
$title = mysql_real_escape_string($title);
$sql = "insert into tags (title, color) values ('".$title."','@32324')";
$db->executeSQL($sql);
$sql = "select * from tags where color = '@32324' ";
$result = $db->executeSQL($sql);
while($row= mysql_fetch_array($result))
{
$new_title = $row['title'];
}
$new_title = mysql_real_escape_string($new_title);
$sql = "insert into tags (title, color) values ('".$new_title."','DDDDD')";
$db->executeSQL($sql);
注意:如果我删除第二个 mysql_real_escape_string 调用,那么第二次插入将不会发生
Before I put data into my database I pass it through mysql_real_escape_string.
If I want to copy that same data into another table, do I need to pass it through mysql_real_escape_string again before I copy it?
I wrote a small script to test the issue and it looks like the answer is yes:
$db = new AQLDatabase();
$db->connect();
$title = "imran's color";
$title = mysql_real_escape_string($title);
$sql = "insert into tags (title, color) values ('".$title."','@32324')";
$db->executeSQL($sql);
$sql = "select * from tags where color = '@32324' ";
$result = $db->executeSQL($sql);
while($row= mysql_fetch_array($result))
{
$new_title = $row['title'];
}
$new_title = mysql_real_escape_string($new_title);
$sql = "insert into tags (title, color) values ('".$new_title."','DDDDD')";
$db->executeSQL($sql);
NOTE: If I remove the second mysql_real_escape_string call, then the second insert won't take place
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
你做得对。保持原样即可。虽然不是数据库,但它是查询。
唯一的注意事项:只有字符串应该使用此函数进行转义。它不应该与任何其他查询部分一起使用。
你不是已经回答你的问题了吗?
在我将[字符串类型]数据放入[查询]中之前,我总是将其设置为Mysql_real_Escape_String。您的数据会进行SQL查询吗?所以,这是你已经有了的答案。You are doing right. Just keep it as is. Not database though but query it is.
The only note: only strings should be escaped using this function. It shouldn't be used with any other query parts.
Didn't you answer your question already?
Before I put [string-type] data into my [query] I always make it go the Mysql_real_Escape_String thing.Is your data going to SQL query? So, here is an answer you have already.好吧,如果您确定这些数据已经正确转义,则无需这样做。
mysql_real_escape_string 用于 1) 转义 2) 安全目的。由于它是您自己的数据库,并且只要您将数据传递到潜在黑客无法触及的另一个数据库 - 您就已经安全了
Well, if you are sure this data is already properly escaped, there is no need to.
mysql_real_escape_string is for 1) escaping 2) security purposes. Since it's your own data base and as long as you pass data to another database outside a potential hacker reach - you are already safe
它已经被保护了,只需按原样复制它,如果你想撤消 mysql_real_escape_string,你可以使用
stripslashes($sting)来删除它PD:这是错误的,现在我明白为什么了。
Its already scaped, just copy it as is, if you want to undo the mysql_real_escape_string you can use
stripslashes($sting)to remove itPD: This is false and now i understand why.
正在做这样的事情吗?
从数据库中获取 $bla 将“取消转义”它,因此它可能再次成为有害字符串。保存时一定要再次转义。
Are doing something like this?
Fetching $bla from the database will "unescape" it so it could be a harmful string again. Always escape it again when saving it.