问题描述
一直在阅读有关预防SQL注入的最新消息,并且我试图在不同功能之间形成一些理解,以便我可以学习基础知识。
我已阅读 mysql_real_escape_string 我知道它基本上是逃避它认为是特殊的字符,所以它不会与SQL语法混淆?
$ b $现在,假设至少在某种程度上是正确的 - 是否需要使用
stripslashes 函数结合 mysql_real_escape_string code>?我想知道 stripslashes 是什么以及它是干什么的。
解决方案如果在使用 mysql_real_escape_string 后在输入上使用 stripslashes ,您将有效地撤消它。可能还有其他一些原因使用 stripslashes ,但在我的情况下,我只需要它就可以解除魔术引号的恐怖。它实际上与 addslashes 相反。
addslashes 不一定转义输入与 mysql_real_escape_string 相同,并且它们不能用于相同的目的。
甚至比 mysql_ * 更好,您应该阅读使用准备好的语句,如。那么你甚至不用担心 mysql _ * 或 stripslashes (魔术引号除外)。
I have been reading most recently about prevention of SQL injection and I am trying to develop some sense of understanding between the different functions so that I can learn the basics.
I have read about mysql_real_escape_string and I understand that it is basically escaping characters which it deems "special" so that it is not confused for SQL syntax?
Now, assuming that is at least to some degree true - is there a need to use the stripslashes function combined with the mysql_real_escape_string? I'm wondering about what stripslashes is and what it is for.
解决方案 If you use stripslashes on input right after using mysql_real_escape_string, you will effectively undo it. There are probably other reasons to use stripslashes, but in my case I have only ever needed it to undo the horror that is magic quotes. It's actually the opposite of addslashes.
addslashes does not necessarily escape input the same as mysql_real_escape_string does, and they cannot be used for the same purpose.
Even better than mysql_*, you should read up on using prepared statements like in PDO. Then you don't even have to worry about mysql_* or stripslashes (except for magic quotes).
这篇关于什么是stripslashes?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!