问题
What does mysql_real_escape_string() do with the % (percent) character and how much of a security risk does it represent (and how to fix it)?
回答1:
From the mysql_real_escape_string() documentation:
Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.
As far as security, unless you are running a LIKE, GRANT, or REVOKE, it's a non-issue. LIKE is probably the only real concern. It's up to you how you would want to escape it in these situations.
A quick example:
"... LIKE '%" . mysql_real_escape_string($string) . "%' ..."
回答2:
It does not do nothing with % character. Why didn't you try it?
回答3:
Taken from:
http://php.net/manual/en/function.mysql-real-escape-string.php
Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.
来源:https://stackoverflow.com/questions/6473823/php-mysql-real-escape-string-and-character