duanju6788 2012-11-18 07:48
浏览 32
已采纳

php mysqli我应该使用real_escape_string吗? [重复]

Possible Duplicate:
Do I need to escape data to protect against SQL injection when using bind_param() on MySQLi?

I have a class that simplifies doing a queries. Here is a code example how to insert data:

$dbi->prepare("INSERT INTO `temp` (`name`,`content`) VALUES (?,?);")->execute($name,$content);

There is a function in class like this:

public function execute(){
        if(is_object($this->connection) && is_object($this->stmt)){
            if(count($args = func_get_args()) > 0){
                $types = array();
                $params = array();

                foreach($args as $arg){
                    $types[] = is_int($arg) ? 'i' : (is_float($arg) ? 'd' : 's');
                    $params[] = $arg;
                                              /*
                                                 or maybe $params[] = $this->connection->real_escape_string($arg);
                                              */
                }

                array_unshift($params, implode($types));

                call_user_func_array(
                    array($this->stmt, 'bind_param'),
                    $this->_pass_by_reference($params)
                );
            }

            if($this->stmt->execute()){
                $this->affected_rows = $this->stmt->affected_rows;
                return $this;
            }
            else {
                throw new Exception;
            }
        }
        else {
            throw new Exception;
        }
    }

When I declare $params[] I have like this $params[] = $arg; Should I put $params[] = $this->connection->real_escape_string($arg); or not?

Thanks.

展开全部

  • 写回答

2条回答 默认 最新

  • duanbo7517 2012-11-18 07:59
    关注

    According to PHP Manual on mysqli and prepared statements:

    Escaping and SQL injection

    Bound variables will be escaped automatically by the server. The server inserts their escaped values at the appropriate places into the statement template before execution. A hint must be provided to the server for the type of bound variable, to create an appropriate conversion. See the mysqli_stmt_bind_param() function for more information.

    The automatic escaping of values within the server is sometimes considered a security feature to prevent SQL injection. The same degree of security can be achieved with non-prepared statements, if input values are escaped correctly.

    So no, you don't have to take care about escaping, server will take care about escaping for you.

    Escaping manually will result in double escaped values. And in my personal opinion the greatest advantage of placeholders ? in sql statements is that you don't have to take care about escaping.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)
编辑
预览

报告相同问题?

悬赏问题

  • ¥15 ArcGIS Pro时空模式挖掘工具
  • ¥15 获取到海康hls的视频地址是http协议导致无法正常播放
  • ¥15 seL4如何实现从终端输入数据
  • ¥15 方波信号时频特征分析/信号调制与解调过程分析/利用DFT分析信号频谱
  • ¥20 两台硬件相同的琴设备一个是高阶版,怎么扒到初阶版
  • ¥30 matlab求解周期与坐标
  • ¥15 MATLAB图片转灰度格式问题
  • ¥15 把h5作品链接复制到自己的账号里
  • ¥15 ensp抓包实验配置
  • ¥15 强化学习算法、MRO
手机看
程序员都在用的中文IT技术交流社区

程序员都在用的中文IT技术交流社区

专业的中文 IT 技术社区,与千万技术人共成长

专业的中文 IT 技术社区,与千万技术人共成长

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

客服 返回
顶部