How to properly escape a string via PHP and mysql
Question
Can someone explain what is the difference between using mysql_real_escape_string on a string or wrapping `` around the column.
For example "insert into table (``column``) values ('$string')"
or
$escapestring = mysql_real_escape_string($string);
"insert into table (column) values ('$escapedstring')"
What is the difference between these two and what should I use? Thanks.
2 answers
solution1
2 2011-04-30 07:25:46
There's a difference between the backtick ` and the single quote ' .
The backtick is intended to escape table and field names that may conflict with MySQL reserved words. If I had a field named date and a query like SELECT date FROM mytable I'd need to escape the use of date so that when MySQL parses the query, it will interpret my use of date as a field rather than the datatype date .
The single quote ' is intended for literal values, as in SELECT * FROM mytable WHERE somefield='somevalue' . If somevalue itself contains single quotes, then they need to be escaped to prevent premature closing of the quote literal.
solution2
-1 2011-04-30 07:19:38
Those two aren't related at all (as far I know anyway)
From the manual: http://php.net/manual/en/function.mysql-real-escape-string.php
Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query().
So essentially what it does is, it will escape characters that are unsafe to go into mysql queries (that might break or malform the query)
So o'reily will become o\'reily
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.