问题描述

http://php.net/manual/en/function. mysql-escape-string.php

那是为什么?

推荐答案

由于mysql支持一些极为罕见的编码，其中mysql_escape_string将允许SQL注入，但mysql_real_escape_string()不允许.

Because there are some extremely rare encodings supported by mysql, in which mysql_escape_string will allow an SQL injection, but mysql_real_escape_string() won't.

但是，只要您的编码是单字节或UTF-8，mysql_escape_string()都不会受到损害，并且可以不用担心使用它.

However, as long as your encoding is either single-byte or UTF-8, there will be no harm from mysql_escape_string() ever and one can use it with no fear.

另一方面，要注意，实际上mysql_real_escape_string() 如果单独使用，不会有任何好处.
仅当使用mysql_set_charset()函数(或通过某些mysql服务器调整)设置了mysql驱动程序编码时，它才能按需工作.
否则，它的行为将与已毁名的mysql_escape_string()完全相同.

On the other hand, it is to be noted that in fact mysql_real_escape_string() won't do any good if used by itself.
It will work as desired only if mysql driver encoding was set, using mysql_set_charset() function (or by some mysql server tweak).
Otherwise it will act exactly the same way as defamed mysql_escape_string().

还要注意，实际上不鼓励同时使用两种功能，主要是因为使用不当.
而且当地人确实大量推动使用PDO准备好的声明.

Also to be noted that actually both these functions are discouraged, mostly because of improper use.
And local folks do extensively push PDO prepared statements to use instead.

您可能已经猜到了，PDO准备好的语句如果单独使用，开箱即用不会有任何好处.必须采取一些准备工作.
一个必须要么

As you may guess by now, PDO prepared statements won't do any good if used by itself, out of the box. Some preparations have to be taken.
One have to either

• 关闭默认启用的仿真模式
• 或设置我们的老朋友-mysql驱动程序编码-而此类操作仅在DSN中允许，并且仅从5.3.3版本开始可用.

或者在执行某些极为罕见的编码方面，PDO和mysql_escape_string之间没有区别.

or there will be no difference between PDO and mysql_escape_string in terms of acting for some extremely rare encodings.

这篇关于为什么强烈建议不要使用mysql_escape_string?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！