duanju6788 2012-11-18 15:48
浏览 32
已采纳

php mysqli我应该使用real_escape_string吗? [重复]

Possible Duplicate:
Do I need to escape data to protect against SQL injection when using bind_param() on MySQLi?

I have a class that simplifies doing a queries. Here is a code example how to insert data:

$dbi->prepare("INSERT INTO `temp` (`name`,`content`) VALUES (?,?);")->execute($name,$content);

There is a function in class like this:

public function execute(){
        if(is_object($this->connection) && is_object($this->stmt)){
            if(count($args = func_get_args()) > 0){
                $types = array();
                $params = array();

                foreach($args as $arg){
                    $types[] = is_int($arg) ? 'i' : (is_float($arg) ? 'd' : 's');
                    $params[] = $arg;
                                              /*
                                                 or maybe $params[] = $this->connection->real_escape_string($arg);
                                              */
                }

                array_unshift($params, implode($types));

                call_user_func_array(
                    array($this->stmt, 'bind_param'),
                    $this->_pass_by_reference($params)
                );
            }

            if($this->stmt->execute()){
                $this->affected_rows = $this->stmt->affected_rows;
                return $this;
            }
            else {
                throw new Exception;
            }
        }
        else {
            throw new Exception;
        }
    }

When I declare $params[] I have like this $params[] = $arg; Should I put $params[] = $this->connection->real_escape_string($arg); or not?

Thanks.

  • 写回答

2条回答 默认 最新

  • duanbo7517 2012-11-18 15:59
    关注

    According to PHP Manual on mysqli and prepared statements:

    Escaping and SQL injection

    Bound variables will be escaped automatically by the server. The server inserts their escaped values at the appropriate places into the statement template before execution. A hint must be provided to the server for the type of bound variable, to create an appropriate conversion. See the mysqli_stmt_bind_param() function for more information.

    The automatic escaping of values within the server is sometimes considered a security feature to prevent SQL injection. The same degree of security can be achieved with non-prepared statements, if input values are escaped correctly.

    So no, you don't have to take care about escaping, server will take care about escaping for you.

    Escaping manually will result in double escaped values. And in my personal opinion the greatest advantage of placeholders ? in sql statements is that you don't have to take care about escaping.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 做个有关计算的小程序
  • ¥15 MPI读取tif文件无法正常给各进程分配路径
  • ¥15 如何用MATLAB实现以下三个公式(有相互嵌套)
  • ¥30 关于#算法#的问题:运用EViews第九版本进行一系列计量经济学的时间数列数据回归分析预测问题 求各位帮我解答一下
  • ¥15 setInterval 页面闪烁,怎么解决
  • ¥15 如何让企业微信机器人实现消息汇总整合
  • ¥50 关于#ui#的问题:做yolov8的ui界面出现的问题
  • ¥15 如何用Python爬取各高校教师公开的教育和工作经历
  • ¥15 TLE9879QXA40 电机驱动
  • ¥20 对于工程问题的非线性数学模型进行线性化