我应该一一转义输入参数还是转义整个sql查询?
我经常一一转义输入,我想知道两种方法之间的区别。哪一种是更常见的做法?我首先尝试转义“需要转义”的字段,然后我最终为每个值编写了很长的转义代码。一次转义整个sql语句有什么缺点?
I am often escaping inputs one by one and I am wondering about the difference between two methods. Which one is a more common practice? I tried escaping the "escape requiring" fields first, then I end up writing long escaping code for each value. What are the disadvantages of escaping a whole sql sentence at once?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
它不起作用,因为在查询中您使用诸如 ' 单引号之类的内容来指示值,并且您不希望这些值被转义,但您确实希望转义可能包含单引号的值。
It doesn't work because inside the query you are using things like ' single quotes to indicate values and you don't want those escaped, but you do want to escape the values that might contain single quotes.
有点题外话,但我觉得这很重要。
这不是你第一次就此事提出问题。而且看来你还是没明白重点。
抱歉,这个问题似乎是您的主要问题。
你不是寻求理解,不是寻求解释,而是只是要求某种积极的答案。
这个问题的结果应该是您根据您对此事的理解给自己的答案。
只有在这种情况下,它才会对你有好处。
否则你将再次陷入下一步。
请尝试理解转义字符串的含义。
对于任何具有非常基本的 SQL 知识的人来说,您的问题绝对没有意义。
当然,这样的整个查询转义永远不会起作用。只是因为 SQL 查询的性质。
您迫切需要理解这种性质。
请你读一些书。
请寻求解释,而不是寻求某种保证。
A somewhat offtopic but I feel it's very important.
This is not the first your question on the matter. And it seems you still don't get the point.
I beg my pardon, but it seems this question being your main problem.
Instead of looking for understanding, instead of looking for explanation, you are just asking of some sort of positive answer.
The result of this question should be the answer you gave to yourself, based on your understanding of the matter.
Only in this case it will do any good for you.
Otherwise you will stumble on the very next step again.
Please, try to understand the meaning of escaping strings.
Your question makes absolutely no sense to anyone who has a very basic SQL knowledge.
Of course such whole query escaping will never work. Just because of the nature of the SQL query.
You desperately need to understand this nature.
Please, read some books.
Please, ask for explanations, not for some assurance.
使用准备好的语句并使用绑定参数。其他任何事情都是等待发生的黑客事件
Use prepared statements and use bind parameters. Anything else is a hack waiting to happen
一一转义每个输入。如果您对整个 SQL 查询执行此操作,则无法确定 SQL 语句在转义后仍然有效。假设
输入
用户将在生成的 SQL 中
so,您将收到而不是
我认为在这种情况下转义整个 SQL 语句将不起作用。
Escape each inputs one by one. If you will do this for the whole SQL query, you cannot be sure that SQL statement is still valid after escaping. Let's say instead of
user will type in
so in the generated SQL you will receive
instead of
I think that escaping whole SQL statement will not work in such situation.
我猜想使用 mysql_real_escape_string 转义 sql 字符串更有利。参考时间和记忆。如果需要,可以在每个输入级别进行一些验证。
I guess escaping the sql string is more advantageous using mysql_real_escape_string. In reference to time and memory. Some validations can be done at each input level if needed.
您担心转义每个 var 的长代码,但由于某种原因您忘记了函数的用途。
希望这能为您指明正确的方向。
You are worried about long code for escaping each var but for some reason you forgot the purpose of a function.
Hopefully that gets you pointed in the right direction.