mysql语句转义_关于mysql语句的转义
It is recommended to use either the mysqli or PDO_MySQL extensions. It is not recommended to use the old mysql extension for new development, as it has been deprecated as of PHP 5.5.0 and will be removed in the future.
官⽅建议使⽤mysqli的库,因为mysql库会在PHP5.5.0⾥去掉,所以建议在新项⽬中使⽤
mysqli_real_escape_string
⼀,⾸先看addslashes,它定义中只会对单引号('),双引号(“)和反斜杠(\)和NULL字符进⾏转义。它在php源码(php-5.4.14)⾥的实现很好的说明了这⼀点。
PHPAPI char *php_addslashes(char *str, int length, int *new_length,int should_free TSRMLS_DC)
{/*maximum string length, worst case situation*/char*new_str;
char*source, *target;
char*end;
int local_new_length;if (!new_length) {
new_length= &local_new_length;
}if (!str) {*new_length = 0;returnstr;
}
new_str= (char *) safe_emalloc(2, (length ? length : (length = strlen(str))), 1);
source=str;end = source +length;
target=new_str;while (source < end) {switch (*source) {case '\0':
*target++ = '\\';*target++ = '0';break;case '\'':
case '\"':
case '\\':
*target++ = '\\';/*break is missing *intentionally**/
default:
*target++ = *source;break;
}
source++;
}*target = 0;*new_length = target -new_str;if(should_free) {
STR_FREE(str);
}
new_str= (char *) erealloc(new_str, *new_length + 1);returnnew_str;
}
⼆,再来看mysql_escape_string的源码,它是直接调⽤了Mysql C的API中的mysql_escape_string。注意代码⾥的话:这个函数已经被mysql_real_escape_string取代了,尽量别⽤这个函数
PHP_FUNCTION(mysql_escape_string)
{char *str;intstr_len;if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) ==FAILURE) {return;
}/*assume worst case situation, which is 2x of the original string.
* we don't realloc() down to the real size since it'd most probably not
* be worth it*/Z_STRVAL_P(return_value)= (char *) safe_emalloc(str_len, 2, 1);
Z_STRLEN_P(return_value)=mysql_escape_string(Z_STRVAL_P(return_value), str, str_len);
Z_TYPE_P(return_value)=IS_STRING;
php_error_docref("sql-real-escape-string" TSRMLS_CC, E_DEPRECATED, "This function is deprecated; use mysql_real_escape_string() instead.");
}
三,同样,mysql_real_escape_string也调⽤了mysql C的API mysql_real_escape_string,注意如果填写了第⼆个参数,这⾥会检查数据库连接是否可⽤。
PHP_FUNCTION(mysql_real_escape_string)
{
zval*mysql_link =NULL;char *str;char *new_str;int id = -1, str_len, new_str_len;
php_mysql_conn*mysql;if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|r", &str, &str_len, &mysql_link)
==FAILURE) {return;
}if (ZEND_NUM_ARGS() == 1) {
id=php_mysql_get_default_link(INTERNAL_FUNCTION_PARAM_PASSTHRU);
CHECK_LINK(id);
}
ZEND_FETCH_RESOURCE2(mysql, php_mysql_conn*, &mysql_link, id, "MySQL-Link", le_link, le_plink);
new_str= safe_emalloc(str_len, 2, 1);
new_str_len= mysql_real_escape_string(mysql->conn, new_str, str, str_len);
new_str= erealloc(new_str, new_str_len + 1);
RETURN_STRINGL(new_str, new_str_len,0);
}
⽽还有⼀个API mysqli_real_escape_string,其实它也调⽤的是C的API mysql_real_escape_string
PHP_FUNCTION(mysqli_real_escape_string) {
MY_MYSQL*mysql;
zval*mysql_link =NULL;char *escapestr, *newstr;intescapestr_len, newstr_len;if
(zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &mysql_link, mysqli_link_class_entry,
&escapestr, &escapestr_len) ==FAILURE) {return;
}
MYSQLI_FETCH_RESOURCE_CONN(mysql,&mysql_link, MYSQLI_STATUS_VALID);
newstr= safe_emalloc(2, escapestr_len, 1);
newstr_len= mysql_real_escape_string(mysql->mysql, newstr, escapestr, escapestr_len);
newstr= erealloc(newstr, newstr_len + 1);
RETURN_STRINGL(newstr, newstr_len,0);
}error parse new
四,总结:
1,建议新开发的项⽬使⽤转义mysql时使⽤mysqli_real_escape_string
2, 强烈建议使⽤ DBMS 指定的转义函数 (⽐如 MySQL 是 mysqli_real_escape_string(),PostgreSQL 是 pg_escape_string()),但是如果你使⽤的 DBMS 没有⼀个转义函数,并且使⽤ \ 来转义特殊字符,你可以使⽤这个函数。
3,当magic_qutoes_gpc开关为on时,实际上所有的 GET、POST 和 COOKIE 数据都⽤被addslashes。如果要⽤msyql的escape函数,需要先调⽤stripslashes函数
4,addslashes会对(NULL), ('), ("), (\)进⾏转义,⽽mysql_real_escape_string和mysqli_real_escape_string除了转义addslashes的字符外,还会对(\n), (\r), (Control-Z)进⾏转义,并且会根据数据库连接的字符集来处理
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论