我应该一一转义输入参数还是转义整个sql查询?

发布于 2024-12-15 23:17:09 字数 96 浏览 0 评论 0原文

我经常一一转义输入,我想知道两种方法之间的区别。哪一种是更常见的做法?我首先尝试转义“需要转义”的字段,然后我最终为每个值编写了很长的转义代码。一次转义整个sql语句有什么缺点?

I am often escaping inputs one by one and I am wondering about the difference between two methods. Which one is a more common practice? I tried escaping the "escape requiring" fields first, then I end up writing long escaping code for each value. What are the disadvantages of escaping a whole sql sentence at once?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

徒留西风 2024-12-22 23:17:09

它不起作用,因为在查询中您使用诸如 ' 单引号之类的内容来指示值,并且您不希望这些值被转义,但您确实希望转义可能包含单引号的值。

It doesn't work because inside the query you are using things like ' single quotes to indicate values and you don't want those escaped, but you do want to escape the values that might contain single quotes.

可是我不能没有你 2024-12-22 23:17:09

有点题外话,但我觉得这很重要。

这不是你第一次就此事提出问题。而且看来你还是没明白重点。

你确定mysql不接受转义的sql字符串吗?

抱歉,这个问题似乎是您的主要问题。
你不是寻求理解,不是寻求解释,而是只是要求某种积极的答案。

这个问题的结果应该是您根据您对此事的理解给自己的答案
只有在这种情况下,它才会对你有好处。
否则你将再次陷入下一步。

请尝试理解转义字符串的含义。
对于任何具有非常基本的 SQL 知识的人来说,您的问题绝对没有意义。
当然,这样的整个查询转义永远不会起作用。只是因为 SQL 查询的性质。
您迫切需要理解这种性质。
请你读一些书。
请寻求解释,而不是寻求某种保证。

A somewhat offtopic but I feel it's very important.

This is not the first your question on the matter. And it seems you still don't get the point.

are you sure mysql does not accept escaped sql strings?

I beg my pardon, but it seems this question being your main problem.
Instead of looking for understanding, instead of looking for explanation, you are just asking of some sort of positive answer.

The result of this question should be the answer you gave to yourself, based on your understanding of the matter.
Only in this case it will do any good for you.
Otherwise you will stumble on the very next step again.

Please, try to understand the meaning of escaping strings.
Your question makes absolutely no sense to anyone who has a very basic SQL knowledge.
Of course such whole query escaping will never work. Just because of the nature of the SQL query.
You desperately need to understand this nature.
Please, read some books.
Please, ask for explanations, not for some assurance.

彩扇题诗 2024-12-22 23:17:09

使用准备好的语句并使用绑定参数。其他任何事情都是等待发生的黑客事件

Use prepared statements and use bind parameters. Anything else is a hack waiting to happen

南街九尾狐 2024-12-22 23:17:09

一一转义每个输入。如果您对整个 SQL 查询执行此操作,则无法确定 SQL 语句在转义后仍然有效。假设

aaa

输入

a", "a

用户将在生成的 SQL 中

("a", "a") 

so,您将收到而不是

("aaa")

我认为在这种情况下转义整个 SQL 语句将不起作用。

Escape each inputs one by one. If you will do this for the whole SQL query, you cannot be sure that SQL statement is still valid after escaping. Let's say instead of

aaa

user will type in

a", "a

so in the generated SQL you will receive

("a", "a") 

instead of

("aaa")

I think that escaping whole SQL statement will not work in such situation.

初心 2024-12-22 23:17:09

我猜想使用 mysql_real_escape_string 转义 sql 字符串更有利。参考时间和记忆。如果需要,可以在每个输入级别进行一些验证。

I guess escaping the sql string is more advantageous using mysql_real_escape_string. In reference to time and memory. Some validations can be done at each input level if needed.

樱娆 2024-12-22 23:17:09

您担心转义每个 var 的长代码,但由于某种原因您忘记了函数的用途。

function escape_me($value) {
     $value = strip_tags($value);
     $value = mysql_real_escape_string($value);
     .........
}

$var1 = escape_me($_POST['var1']);

希望这能为您指明正确的方向。

You are worried about long code for escaping each var but for some reason you forgot the purpose of a function.

function escape_me($value) {
     $value = strip_tags($value);
     $value = mysql_real_escape_string($value);
     .........
}

$var1 = escape_me($_POST['var1']);

Hopefully that gets you pointed in the right direction.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文