使用准备好的语句时是否需要 mysql_real_escape_string()?
[英]Is mysql_real_escape_string() necessary when using prepared statements?
问题描述
For this query, is necessary to use mysql_real_escape_string ?
对于这个查询,是否需要使用mysql_real_escape_string ?
Any improvement or the query is fine?任何改进或查询都很好?
$consulta = $_REQUEST["term"]."%";
($sql = $db->prepare('select location from location_job where location like ?'));
$sql->bind_param('s', $consulta);
$sql->execute();
$sql->bind_result($location);
$data = array();
while ($sql->fetch()) {
$data[] = array('label' => $location);
}
The query speed is important in this case.在这种情况下,查询速度很重要。
1 个解决方案
解决方案1
24 已采纳 2011-06-03 20:09:42
No, prepared queries (when used properly) will ensure data cannot change your SQL query and provide safe querying.不,准备好的查询(如果使用得当)将确保数据不会更改您的 SQL 查询并提供安全查询。 You are using them properly, but you could make just one little change.您正在正确使用它们,但您可以只做一点点改变。 Because you are using the '?'因为您使用的是“?” placeholder, it is easier to pass params through the execute method.占位符,通过execute方法传递参数更容易。
$sql->execute([$consulta]);
Just be careful if you're outputting that to your page, SQL parameter binding does not mean it will be safe for display within HTML, so run htmlspecialchars() on it as well when outputting.如果您将其输出到您的页面,请小心,SQL 参数绑定并不意味着它可以安全地显示在 HTML 中,因此在输出时也要在其上运行htmlspecialchars() 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.