是否有一些代码可用于过滤字符串以将转义字符放在无效的MySQL字符之前?
[英]Is there some code that I can use to filter through strings to put escape characters in front of invalid MySQL characters?
问题描述
I'm building a comment section on my website and I need to be able to filter through strings and escape invalid characters? 
我正在网站上建立评论部分,我需要能够过滤字符串并转义无效字符吗?
Is there any code that can automate this and return a string with escape characters properly placed? 是否有任何代码可以自动执行此操作并返回正确放置转义符的字符串?
I use PHP btw. 我使用PHP btw。
3 个解决方案
解决方案1
3 已采纳 2011-01-10 04:59:37
您需要mysql_real_escape_string() ,或将您的参数与PDO等绑定。
解决方案2
1 2011-01-10 05:00:01
使用内置的msyql_函数: mysql_real_escape_string 。
解决方案3
0 2011-01-10 07:43:20
Using bound variables is generally better practice than just escaping a string. 使用绑定变量通常比仅转义字符串更好。
First I'll parrot the party line that you should really consider learning to use a database abstraction layer or ORM as this will be better in the long term. 首先,我将模仿您应该真正考虑学习使用数据库抽象层或ORM的观点,因为从长远来看这会更好。 I'll leave the holy wars about which package to user for this (and the merits of PDO, etc..) to someone else. 我将把与之相关的软件包(以及PDO的优点等)留给其他人使用。
If you're using a recent version of PHP you should have the MySQLi (MySQL improved extension). 如果您使用的是最新版本的PHP,则应安装MySQLi(MySQL改进的扩展名)。 This extension allows bound parameters as explained here: 此扩展允许绑定参数,如下所述:
http://php.net/manual/en/mysqli-stmt.bind-param.php http://php.net/manual/en/mysqli-stmt.bind-param.php
Also note that while escaping a string is a good start, it's NOT enough. 还要注意,虽然转义字符串是一个好的开始,但这还不够。
see: Is htmlentities() and mysql_real_escape_string() enough for cleaning user input in PHP? 参见: htmlentities()和mysql_real_escape_string()是否足以清理PHP中的用户输入?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.