是否有必要使用mysql_real_escape_string()将图像导入mysql?
[英]Is it necessary to use mysql_real_escape_string() for image into mysql?
问题描述
For example: 
例如:
$data = file_get_contents($_FILES['image']['tmp_name']);
$data = mysql_real_escape_string($data);
mysql_query("INSERT INTO table set image='$data'....
Is this a correct way to stick with? 这是坚持的正确方法吗?
2 个解决方案
解决方案1
6 2012-01-04 05:08:24
You could do a base64_encode to keep the integrity of your data, and assure that you will not have problems with characters of any kind, actually it is a very common way to keep and transfer data. 您可以执行base64_encode来保持数据的完整性,并确保任何类型的字符都不会出现问题,实际上,这是保存和传输数据的非常常用的方法。 And to get it back use base64_decode . 并使用base64_decode找回它。
解决方案2
0 已采纳 2012-01-04 05:10:15
I would recommend keeping it unless there is a reason to remove it, as its a good way to prevent sql injection. 我建议保留它,除非有理由将其删除,因为它是防止sql注入的好方法。 See here: http://php.net/manual/en/function.mysql-real-escape-string.php . 参见此处: http : //php.net/manual/en/function.mysql-real-escape-string.php 。
It is probably possible to do sql injection through an image that a user could upload or a client could accidentally use. 可能可以通过用户可以上传或客户端可能意外使用的图像进行sql注入。
A reason not to use it could be performance. 不使用它的原因可能是性能。 I would tend to recommend security over performance. 我倾向于推荐安全性而不是性能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.