问题
function escape($value){
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists("mysql_real_escape_string");
if ($new_enough_php) {
if ($magic_quotes_active) {
$value = stripslashes($value);
$value = mysql_real_escape_string($value);
}
elseif (!$magic_quotes_active) {
$value = addslashes($value);
}
return $value;
}
}
For a long time I have been using above function for escaping string ? Now, I want to ask that do I need to use that function (I found that over internet for escaping string that works with most versions of PHP) ? OR Its making things unnecesseraily complex ?
回答1:
No, you should, in fact, avoid using functions like these at all cost! What you should be looking into is the use of prepared statements.
Check the doc pages of any of the mysql_* functions, and notice the red warning-thing: the extension has begun the deprecation process, instead PDO or mysqli_* is suggested.
To avoid injection, prepared statements are what you should use... read a couple of articles on the matter, and look into the advantages of both PDO and mysqli_*. That's, I'm afraid the only way forward...
回答2:
You don't need such functions. Typically it's enough to use addslashes(...). In special cases see the documentation, like @Elias Van Ootegem recommended
来源:https://stackoverflow.com/questions/13108695/do-i-need-to-use-following-function-for-string-escaping-in-php