blocks|key|905542|text|我想转义sql字符串使用mysql_real_escape_string会更有优势。在时间和记忆方面。如果需要，可以在每个输入级别执行一些验证。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|905543|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

I guess escaping the sql string is more advantageous using mysql_real_escape_string. In reference to time and memory. Some validations can be done at each input level if needed.

blocks|key|3352674|text|它不起作用，因为在查询中，你使用‘单引号’来表示值，你不想要那些转义的值，但你确实想转义可能包含单引号的值。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|3352675|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

It doesn't work because inside the query you are using things like ' single quotes to indicate values and you don't want those escaped, but you do want to escape the values that might contain single quotes.

blocks|key|908555|text|使用准备好的语句和绑定参数。任何其他的事情都是等待发生的黑客攻击|type|unstyled|depth|inlineStyleRanges|entityRanges|data|908556|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

Use prepared statements and use bind parameters. Anything else is a hack waiting to happen

blocks|key|905620|text|逐个转义每个输入。如果要对整个SQL查询执行此操作，则无法确保SQL语句在转义后仍然有效。比方说不是|type|unstyled|depth|inlineStyleRanges|entityRanges|data|905621|aaa|code-block|syntax|javascript|905622|用户将键入|905623|a",+"a|905624|因此，在生成的SQL中，您将收到|905625|("a",+"a")+|905626|而不是|905627|("aaa")|905628|我认为在这种情况下，转义整个SQL语句是行不通的。|905629|entityMap^0|0|0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|W|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|X|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|Y|8|@]|9|@]|A|$]]|$1|I|3|J|5|D|7|Z|8|@]|9|@]|A|$E|F]]|$1|K|3|L|5|6|7|10|8|@]|9|@]|A|$]]|$1|M|3|N|5|D|7|11|8|@]|9|@]|A|$E|F]]|$1|O|3|P|5|6|7|12|8|@]|9|@]|A|$]]|$1|Q|3|R|5|D|7|13|8|@]|9|@]|A|$E|F]]|$1|S|3|T|5|6|7|14|8|@]|9|@]|A|$]]|$1|U|3|-4|5|6|7|15|8|@]|9|@]|A|$]]]|V|$]]

Escape each inputs one by one. If you will do this for the whole SQL query, you cannot be sure that SQL statement is still valid after escaping. Let's say instead of

<pre><code>aaa
</code></pre>

user will type in

<pre><code>a", "a
</code></pre>

so in the generated SQL you will receive 

<pre><code>("a", "a") 
</code></pre>

instead of

<pre><code>("aaa")
</code></pre>

I think that escaping whole SQL statement will not work in such situation.

blocks|key|908598|text|您担心用于转义每个变量的冗长代码，但由于某种原因，您忘记了函数的用途。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|908599|function+escape_me($value)+{
+++++$value+=+strip_tags($value);
+++++$value+=+mysql_real_escape_string($value);
+++++.........
}

$var1+=+escape_me($_POST['var1']);|code-block|syntax|javascript|908600|希望这能让你找到正确的方向。|908601|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|K|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|L|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|M|8|@]|9|@]|A|$]]|$1|I|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|J|$]]

You are worried about long code for escaping each var but for some reason you forgot the purpose of a function.

<pre><code>function escape_me($value) {
 $value = strip_tags($value);
 $value = mysql_real_escape_string($value);
 .........
}

$var1 = escape_me($_POST['var1']);
</code></pre>

Hopefully that gets you pointed in the right direction.

blocks|key|5251738|text|有点离题，但我觉得这很重要。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|5251739|这不是你在这个问题上的第一个问题。看来你还是不明白这一点。|5251740|5251741|您确定mysql不接受转义sql字符串吗？|blockquote|5251742|5251743|5251744|对不起，这个问题似乎是你的主要问题。|5251745|而不是寻求理解，而不是寻求解释，你只是在询问某种肯定的答案。|5251746|这个问题的结果应该是你给自己的答案，基于你对这个问题的理解。|offset|length|style|BOLD|5251747|只有在这种情况下，它才会对你有任何好处。|5251748|否则，你会再次跌倒在下一步。|5251749|请尝试理解转义字符串的含义。|5251750|对于任何具有非常基本的SQL知识的人来说，您的问题都是毫无意义的。|5251751|当然，这样的整个查询转义永远不会起作用。仅仅是因为SQL查询的性质。|5251752|您迫切需要来理解的这一特性。请读点书吧。请要求解释，而不是一些保证。|5251753|entityMap^0|0|0|0|0|0|0|0|0|A|K|0|0|K|0|0|E|0|0|E|0|0|X|0|0|Y|0|0|Y|0^^$0|@$1|2|3|4|5|6|7|17|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|18|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|19|8|@]|9|@]|A|$]]|$1|E|3|F|5|G|7|1A|8|@]|9|@]|A|$]]|$1|H|3|-4|5|6|7|1B|8|@]|9|@]|A|$]]|$1|I|3|-4|5|6|7|1C|8|@]|9|@]|A|$]]|$1|J|3|K|5|6|7|1D|8|@]|9|@]|A|$]]|$1|L|3|M|5|6|7|1E|8|@]|9|@]|A|$]]|$1|N|3|O|5|6|7|1F|8|@$P|1G|Q|1H|R|S]]|9|@]|A|$]]|$1|T|3|U|5|6|7|1I|8|@$P|1J|Q|1K|R|S]]|9|@]|A|$]]|$1|V|3|W|5|6|7|1L|8|@$P|1M|Q|1N|R|S]]|9|@]|A|$]]|$1|X|3|Y|5|6|7|1O|8|@$P|1P|Q|1Q|R|S]]|9|@]|A|$]]|$1|Z|3|10|5|6|7|1R|8|@$P|1S|Q|1T|R|S]]|9|@]|A|$]]|$1|11|3|12|5|6|7|1U|8|@$P|1V|Q|1W|R|S]]|9|@]|A|$]]|$1|13|3|14|5|6|7|1X|8|@$P|1Y|Q|1Z|R|S]]|9|@]|A|$]]|$1|15|3|-4|5|6|7|20|8|@]|9|@]|A|$]]]|16|$]]

A somewhat offtopic but I feel it's very important. 

This is not the first your question on the matter. And it seems you still don't get the point.

<blockquote>
 are you sure mysql does not accept escaped sql strings?
</blockquote>

I beg my pardon, but it seems this question being your main problem. 
Instead of looking for understanding, instead of looking for explanation, you are just asking of some sort of positive answer. 

The result of this question should be the answer you gave to yourself, based on your understanding of the matter. 
Only in this case it will do any good for you. 
Otherwise you will stumble on the very next step again. 

Please, try to understand the meaning of escaping strings. 
Your question makes absolutely no sense to anyone who has a very basic SQL knowledge. 
Of course such whole query escaping will never work. Just because of the nature of the SQL query. 
You desperately need to understand this nature. 
Please, read some books.
Please, ask for explanations, not for some assurance.

I am often escaping inputs one by one and I am wondering about the difference between two methods. Which one is a more common practice? I tried escaping the "escape requiring" fields first, then I end up writing long escaping code for each value. What are the disadvantages of escaping a whole sql sentence at once?

Should I escape the input parameters one by one or escape the sql query as a whole?

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

我经常一个接一个地转义输入，我想知道两种方法之间的区别。哪一个是更常见的做法？我首先尝试转义“转义请求”字段，然后为每个值编写长长的转义代码。一次转义整个sql语句的缺点是什么？

问我应该逐个转义输入参数还是整体转义sql查询？
EN

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问我应该逐个转义输入参数还是整体转义sql查询？EN