How does mysql_real_escape_string work? Does it delete mysql functions or add // between mysql function? Is it better than addslashes
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \\x00, \\n, \\r, \\, ', " and \\x1a.
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
IMO, its better to use this function than attempting to recreate, most of the time.
When sanitizing database inputs you should always use mysql_real_escape_string
over addslashes
and other not native PHP functions unless you are using the newer PDO library.
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \\x00, \\n, \\r, \\, ', " and \\x1a.
Source@ http://php.net/manual/en/function.mysql-real-escape-string.php
You should also be aware that PHP has provided a native Library called PDO which is a class that manages your database sanitization so you do not have to worry to much.
Prepared statements are handled by the database service itself, this increases security and performance over all.
If you wish to implement prepared Statements you would need to learn and incorporate PDO Are another native database abstraction layer.
To implement PDO Click here
To learn more about Prepared Statements Click Here
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.