21,886
社区成员
发帖
与我相关
我的任务
分享为什么不用addslashes 或者htmlspecialchars
看了STBLOG和骑士cms后发现为什么他们在将内容插入数据库时 不通过上述函数进行转义呢?
各位姐妹兄弟你们在进行数据库插入时是怎么做的?
各位姐妹兄弟你们在进行数据库插入时是怎么做的?
...全文
请发表友善的回复…
发表回复
skyaspnet 2011-02-13
- 打赏
- 举报
[Quote=引用楼主 zfm1988 的回复:]
看了STBLOG和骑士cms后发现为什么他们在将内容插入数据库时 不通过上述函数进行转义呢?
各位姐妹兄弟你们在进行数据库插入时是怎么做的?
[/Quote]
参考更合适的过滤函数:
mysqli::real_escape_string
mysqli_real_escape_string
(PHP 5)
mysqli::real_escape_string -- mysqli_real_escape_string — Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection
说明
面向对象风格
string mysqli::escape_string ( string $escapestr )
string mysqli::real_escape_string ( string $escapestr )
过程化风格
string mysqli_real_escape_string ( mysqli $link , string $escapestr )
This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection.
参数
link
仅以过程化样式:由 mysqli_connect() 或 mysqli_init() 返回的链接标识。
escapestr
The string to be escaped.
Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.
返回值
Returns an escaped string.
范例
Example #1 mysqli::real_escape_string() example
面向对象风格
<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");
$city = "'s Hertogenbosch";
/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
printf("Error: %s\n", $mysqli->sqlstate);
}
$city = $mysqli->real_escape_string($city);
/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
printf("%d Row inserted.\n", $mysqli->affected_rows);
}
$mysqli->close();
?>
过程化风格
<?php
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
mysqli_query($link, "CREATE TEMPORARY TABLE myCity LIKE City");
$city = "'s Hertogenbosch";
/* this query will fail, cause we didn't escape $city */
if (!mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("Error: %s\n", mysqli_sqlstate($link));
}
$city = mysqli_real_escape_string($link, $city);
/* this query with escaped $city will work */
if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("%d Row inserted.\n", mysqli_affected_rows($link));
}
mysqli_close($link);
?>
以上例程会输出:
Error: 42000
1 Row inserted.
看了STBLOG和骑士cms后发现为什么他们在将内容插入数据库时 不通过上述函数进行转义呢?
各位姐妹兄弟你们在进行数据库插入时是怎么做的?
[/Quote]
参考更合适的过滤函数:
mysqli::real_escape_string
mysqli_real_escape_string
(PHP 5)
mysqli::real_escape_string -- mysqli_real_escape_string — Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection
说明
面向对象风格
string mysqli::escape_string ( string $escapestr )
string mysqli::real_escape_string ( string $escapestr )
过程化风格
string mysqli_real_escape_string ( mysqli $link , string $escapestr )
This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection.
参数
link
仅以过程化样式:由 mysqli_connect() 或 mysqli_init() 返回的链接标识。
escapestr
The string to be escaped.
Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.
返回值
Returns an escaped string.
范例
Example #1 mysqli::real_escape_string() example
面向对象风格
<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");
$city = "'s Hertogenbosch";
/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
printf("Error: %s\n", $mysqli->sqlstate);
}
$city = $mysqli->real_escape_string($city);
/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
printf("%d Row inserted.\n", $mysqli->affected_rows);
}
$mysqli->close();
?>
过程化风格
<?php
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
mysqli_query($link, "CREATE TEMPORARY TABLE myCity LIKE City");
$city = "'s Hertogenbosch";
/* this query will fail, cause we didn't escape $city */
if (!mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("Error: %s\n", mysqli_sqlstate($link));
}
$city = mysqli_real_escape_string($link, $city);
/* this query with escaped $city will work */
if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("%d Row inserted.\n", mysqli_affected_rows($link));
}
mysqli_close($link);
?>
以上例程会输出:
Error: 42000
1 Row inserted.
LiveAsaMonster 2011-02-12
- 打赏
- 举报
插入数据库为毛要转?
Abin-2008 2011-02-12
- 打赏
- 举报
[Quote=引用 1 楼 liveasamonster 的回复:]
插入数据库为毛要转?
[/Quote]
永远都不要相信用户的输入.
插入数据库为毛要转?
[/Quote]
永远都不要相信用户的输入.
Abin-2008 2011-02-12
- 打赏
- 举报
STBLOG
是用的CI框架.他的接受数据在框架中带到了你说的功能.
骑士cms我就不知道了.
是用的CI框架.他的接受数据在框架中带到了你说的功能.
骑士cms我就不知道了.
清风闲客 2011-02-12
- 打赏
- 举报
[Quote=引用 2 楼 life169 的回复:]
他们在js中转的,没有用php的函数
[/Quote]
+1
转义不是php特有的功能!
他们在js中转的,没有用php的函数
[/Quote]
+1
转义不是php特有的功能!
life169 2011-02-12
- 打赏
- 举报
他们在js中转的,没有用php的函数
