stackoom
  简体   繁体   中英

PHP mysql_real_escape_string() and % character

 原文  2011-06-24 21:12:17       php/ mysql/ security/ sql-injection/ wildcard

Question

mysql_real_escape_string()% (百分比)字符做了什么以及它代表了多少安全风险(以及如何修复它)?

3 answers

solution1
 7 ACCPTED  2011-06-24 21:14:16

From the mysql_real_escape_string() documentation :

Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.

As far as security, unless you are running a LIKE , GRANT , or REVOKE , it's a non-issue. LIKE is probably the only real concern. It's up to you how you would want to escape it in these situations.

A quick example: 

"... LIKE '%" . mysql_real_escape_string($string) . "%' ..."

solution2
 4  2011-06-24 21:15:50

It does not do nothing with % character. Why didn't you try it?

solution3
 1  2011-06-24 21:14:03

Taken from:

http://php.net/manual/en/function.mysql-real-escape-string.php

Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Problem with PHP mysql_real_escape_string mysql_real_escape_string with PDO PHP Php, undo mysql_real_escape_string Is there PHP mysql_real_escape_string for postgresql? Get rid of \ character on mysql_real_escape_string() parsed string mysql_real_escape_string and ’ MySQL PHP mysql_real_escape_string() - is this value not a string? PHP, mysql_real_escape_string and MySQL query PHP mysql_real_escape_string returns empty string mysql_real_escape_string does not escape "
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM