问题
When should i use mysql_real_escape_string?
Is it only when i'm inserting rows into a database? Or only when i have user input?
Thanks
回答1:
You should use mysql_real_escape_string() whenever you're building a query that will be run against the database. Any user input that is being used to build a database query should be run through this function. This will prevent sql injection attacks.
User inputs are your big area of concern when it comes to this.
回答2:
You should use mysql_real_escape_string when you are inserting the value of a string into an SQL statement, and you are using the MySQL API.
$sql = "SELECT * FROM student WHERE foo = '" . $foo . "'";
Should be:
$sql = "SELECT * FROM student WHERE foo = '" .
mysql_real_escape_string($foo) . "'";
However you should also consider using PDO with prepared statements and bind parameters instead of mysql_real_escape_string. This reduces the risk of errors.
回答3:
always, apart from integers, there you use intval()
回答4:
It will simply filter all special character which included in form data to prevent from SQL injection(SQL injection is a hacker tool for hacking website through some queries with form data}
来源:https://stackoverflow.com/questions/5278043/when-to-use-mysql-real-escape-string