dsfsda121545 2013-03-04 23:26
浏览 38
已采纳

PHP Mysqli - 参数绑定AND escape_string?

For database security do I need to do BOTH binding parameters in a prepared statement AND mysql_real_escape_string() on the input?

Thanks!

  • 写回答

1条回答 默认 最新

  • douhuo3696 2013-03-05 00:47
    关注

    No, parameterised queries are fine on their own. As long as you keep all variable data in parameters, passed separately from the query, they can be picked up without any escape/unescape handling.

    You shouldn't blanket-escape at the input phase in general - you don't know what kinds of escape (SQL, HTML, JS, ...) you're going to need until the point you actually inject a value into one of those string contexts. Applying all kinds of escapes over all input data will only lead to mangled and inconsistent input handling.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?