问题描述

我看到了此评论.... http://www.php.net/manual/zh/function.mysql-real-escape-string.php#93005

I saw this comment.... http://www.php.net/manual/en/function.mysql-real-escape-string.php#93005

开始怀疑为什么这是个坏主意.

And began to wonder why this would be a bad idea.

推荐答案

由于以下几个原因，这是个坏主意:

It's a bad idea for a couple reasons:

• 首先，它假设您的输入将永远进入数据库和单独进入数据库.如果要使用某些东西怎么办在HTML输出中?还是在电子邮件中?或者写入文件?或许多其他东西..你的过滤应该总是对上下文敏感.

• 更重要的是，它鼓励s草地使用GET，POST等，因为没有迹象表明他们已经被过滤.如果有人看到你使用

• First, it assumes that your inputswill always be going into thedatabase and into the database alone.What if something is going to be usedin HTML output? Or in an email? Orwritten to a file? Or lots of otherthings.. your filtering should alwaysbe context-sensitive.

• More importantly, it encouragessloppy use of GET, POST, etc becausethere's no indication that they'vebeen filtered. If someone sees youuse

回显$ _POST ['name'];

echo $_POST['name'];

在页面上，他们怎么知道被过滤了吗?甚至更糟的是...你确定是吗?那个怎么样其他应用程式?你知道的，你曾经是刚交?新开发者会做什么?他们甚至不知道过滤很重要吗?

on a page, how would they know it'sbeen filtered? Or even worse... areyou sure it has been? What about thatother app? You know, the one you werejust handed? What would new developers do? Would they even know that filtering is important?

这篇关于什么时候不应该使用mysql_real_escape_string的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！