addslashes, mysql_real_escape_string and mysql_escape_string introduction_PHP tutorial

This article will give you a brief introduction to some usages and differences of addslashes(), mysql_real_escape_string() and mysql_escape_string() in php. Friends who are interested can refer to it.

I really haven’t paid attention to this aspect before. When I was writing, I used a very simple function addslashes(). The function adds a backslash before the specified predefined characters.

These predefined characters are:

•Single quote (')
•Double quotes (")
•Backslash ()
•NULL

The code is as follows

代码如下	复制代码
function as_array(&$arr_r) { foreach ($arr_r as &$val) is_array($val) ? as_array($val):$val=addslashes($val); unset($val); } as_array($_POST); ?>

Copy code

function as_array(&$arr_r)

{

foreach ($arr_r as &$val) is_array($val) ? as_array($val):$val=addslashes($val);

unset($val);

代码如下	复制代码
if (!get_magic_quotes_gpc()) { $lastname = addslashes($_POST[‘lastname’]); } else { $lastname = $_POST[‘lastname’]; }

}

as_array($_POST);

?>

Although many domestic PHP programmers still rely on addslashes to prevent SQL injection, it is recommended that everyone strengthen checks to prevent SQL injection in Chinese. The problem with addslashes is that hackers can use 0xbf27 instead of single quotes, while addslashes only changes 0xbf27 to 0xbf5c27, which becomes a valid multi-byte character. 0xbf5c is still regarded as a single quote, so addslashes cannot successfully intercept.

Of course, addslashes is not useless. It is used for processing single-byte strings. For multi-byte characters, use mysql_real_escape_string.

In addition, for the example of get_magic_quotes_gpc in the php manual:

}

The code is as follows

Copy code

if (!get_magic_quotes_gpc()) {

$lastname = addslashes($_POST[‘lastname’]);

} else {

代码如下	复制代码
function escape($str){ if(function_exists('mysql_escape_string')){ return mysql_escape_string($str); }elseif( function_exists(...real_escape...)){ //real_escape }else{ if(MAGIC_QUOTER ....判断){ return $str }else{ return addslashes($str); } } }

$lastname = $_POST[‘lastname’];

<🎜> <🎜> <🎜>It is best to check $_POST[’lastname’] when magic_quotes_gpc is already open. <🎜> <🎜> Let’s talk about the difference between the two functions mysql_real_escape_string and mysql_escape_string: <🎜> mysql_real_escape_string can only be used under (PHP 4 >= 4.3.0, PHP 5). mysql_escape_string (PHP 4 >= 4.0.3, PHP 5, Note: This method has been deprecated in PHP5.3 and is not recommended), // Description: Use array_map() to call mysql_real_escape_string to clean the array<🎜> // Organizing: http://www.bKjia.c0m<🎜> function mysqlClean($data)<🎜> {<🎜> return (is_array($data))?array_map('mysqlClean', $data):mysql_real_escape_string($data);<🎜> }<🎜> ?> The difference between the two is: mysql_real_escape_string takes into account the current character set of the connection, while mysql_escape_string does not. To summarize: PHP code

The code is as follows	Copy code
http://www.bkjia.com/PHPjc/628831.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/628831.htmlTechArticleThis article will give you a brief introduction to addslashes(), mysql_real_escape_string() and mysql_escape_string() in php Usage and differences can be referenced by friends who know how to use them. Never before...