问题描述

function escape($value){
    $magic_quotes_active = get_magic_quotes_gpc();
    $new_enough_php = function_exists("mysql_real_escape_string");
      if ($new_enough_php) {
        if ($magic_quotes_active) {
            $value = stripslashes($value);
            $value = mysql_real_escape_string($value);
        }
        elseif (!$magic_quotes_active) {
            $value = addslashes($value);
        }
        return $value;
    }
}

很久以前我一直在使用上面的函数逃脱字符串？现在，我想问一下，我需要使用那个函数（我发现通过互联网转义字符串，适用于大多数版本的PHP）？或者它使事情不必要地复杂？

For a long time I have been using above function for escaping string ? Now, I want to ask that do I need to use that function (I found that over internet for escaping string that works with most versions of PHP) ? OR Its making things unnecesseraily complex ?

推荐答案

不，你实际上应该避免使用这些功能，不惜一切代价！你应该研究的是使用准备好的语句。
请查看任何 mysql _ * 函数的 ，并注意红色警告事项：扩展已经开始弃用过程，而 PDO 或 mysqli _ * 被建议

No, you should, in fact, avoid using functions like these at all cost! What you should be looking into is the use of prepared statements.
Check the doc pages of any of the mysql_* functions, and notice the red warning-thing: the extension has begun the deprecation process, instead PDO or mysqli_* is suggested.

为了避免注入，准备好的语句是您应该使用的...阅读几篇关于此事的文章，并研究 PDO 和 mysqli _ * 。那就是，我怕是唯一的方法...

To avoid injection, prepared statements are what you should use... read a couple of articles on the matter, and look into the advantages of both PDO and mysqli_*. That's, I'm afraid the only way forward...

这篇关于我需要在PHP中使用以下函数来进行字符串转义吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！