Home >php教程 >php手册 >php mysql_real_escape_string函数用法与实例教程

php mysql_real_escape_string函数用法与实例教程

WBOY
WBOYOriginal
2016-05-24 13:25:221891browse

转义特殊字符在unescaped_string,考虑到当前字符的连接设置,以便它在的地方是安全的在mysql_query(),如果二进制数据要插入,这个函数必须被使用.

mysql_real_escape_string - 转义特殊字符的SQL语句中使用字符串

string mysql_real_escape_string (string $unescaped_string [,resource $link_identifier ] )

mysql_real_escape_string()调用MySQL的库函数mysql_real_escape_string,其中prepends反斜杠以下字符:x00 ñ ṛ,,',“和但X1a.

这个函数必须始终(除了少数例外)被用来制作发送之前查询到MySQL数据的安全.

unescaped_string:该字符串进行转义

link_identifier,MySQL的连接,如果没有指定连接标识符,最后一个环节开幕mysql_connect()函数假设,如果没有这样的链接被发现,它会尝试创建一个犹如mysql_connect()是不带参数调用,如果没有找到或建立连接,一会生成一条E_WARNING级别的错误.

实例一,代码如下:

<?php 
	// Connect 
	$link = mysql_connect(&#39;mysql_host&#39;, &#39;mysql_user&#39;, &#39;mysql_password&#39;) 
	    OR die(mysql_error()); 
	 
	// Query 
	$query = sprintf("SELECT * FROM users WHERE user=&#39;%s&#39; AND password=&#39;%s&#39;", 
	            mysql_real_escape_string($user), 
	            mysql_real_escape_string($password)); 
	 

实例二,代码如下:

<?php 
	// Query database to check if there are any matching users 
	$query = "SELECT * FROM users WHERE user=&#39;{$_POST[&#39;username&#39;]}&#39; AND password=&#39;{$_POST[&#39;password&#39;]}&#39;"; 
	mysql_query($query); 
	//开源代码phprm.com 
	// We didn&#39;t check $_POST[&#39;password&#39;], it could be anything the user wanted! For example: 
	$_POST[&#39;username&#39;] = &#39;aidan&#39;; 
	$_POST[&#39;password&#39;] = "&#39; OR &#39;&#39;=&#39;"; 
	 
	// This means the query sent to MySQL would be: 
	echo $query; 
	 

查询发送到MySQL:选择*从用户的WHERE用户='艾丹'和password = ''或''='',这将允许任何人登录没有有效的密码.

本文地址:

转载随意,但请附上文章地址:-)

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn