stackoom
  简体   繁体   中英

PHP Mysqli - Parameter binding AND escape_string?

 原文  2013-03-04 23:26:44       php/ mysql/ sql/ security

Question

For database security do I need to do BOTH binding parameters in a prepared statement AND mysql_real_escape_string() on the input?

Thanks!

1 answers

solution1
 1 ACCPTED  2013-03-05 00:47:20

No, parameterised queries are fine on their own. As long as you keep all variable data in parameters, passed separately from the query, they can be picked up without any escape/unescape handling.

You shouldn't blanket-escape at the input phase in general - you don't know what kinds of escape (SQL, HTML, JS, ...) you're going to need until the point you actually inject a value into one of those string contexts. Applying all kinds of escapes over all input data will only lead to mangled and inconsistent input handling.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question $mysqli->escape_string - can it be used without specifying exact field name mysqli escape string additional parameter Why escape_string isn't work? Call to undefined method DB::escape_string() Error Binding Parameter On PHP/MySQLi PHP Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, null given in MediaWiki: PHP Warning: mysqli::real_escape_string() expects parameter 1 to be string, object given mysqli_real_escape_string() expects parameter 1 to be mysqli do I need to escape_string for a json_encoded object? Call to a member function escape_string() on a non-object
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM