mirror of
https://github.com/fofolee/uTools-Manuals.git
synced 2025-06-18 13:57:03 +08:00
238 lines
15 KiB
HTML
238 lines
15 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||
<html>
|
||
<head>
|
||
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
|
||
<title>转义 SQL 语句中使用的字符串中的特殊字符,并考虑到连接的当前字符集</title>
|
||
</head>
|
||
<body class="docs"><div id="layout">
|
||
<div id="layout-content"><div id="function.mysql-real-escape-string" class="refentry">
|
||
<div class="refnamediv">
|
||
<h1 class="refname">mysql_real_escape_string</h1>
|
||
<p class="verinfo">(PHP 4 >= 4.3.0, PHP 5)</p><p class="refpurpose"><span class="refname">mysql_real_escape_string</span> — <span class="dc-title">
|
||
转义 SQL 语句中使用的字符串中的特殊字符,并考虑到连接的当前字符集
|
||
</span></p>
|
||
|
||
</div>
|
||
|
||
<div id="function.mysql-real-escape-string-refsynopsisdiv">
|
||
<div class="warning"><strong class="warning">Warning</strong>
|
||
<p class="para">本扩展自 PHP 5.5.0
|
||
起已废弃,并在自 PHP 7.0.0 开始被移除。应使用 <a href="book.mysqli.html" class="link">MySQLi</a>
|
||
或 <a href="ref.pdo_mysql.html" class="link">PDO_MySQL</a> 扩展来替换之。参见
|
||
<a href="mysqlinfo.api.choosing.html" class="link">MySQL:选择 API</a> 指南以及<a href="faq.databases.html#faq.databases.mysql.deprecated" class="link">相关 FAQ</a> 来获取更多信息。用以替代本函数的有:</p>
|
||
<ul class="simplelist">
|
||
<li class="member"><span class="function"><a href="mysqli.real_escape_string.html" class="function">mysqli_real_escape_string()</a></span></li>
|
||
<li class="member"><span class="methodname"><a href="pdo.quote.html" class="methodname">PDO::quote()</a></span></li>
|
||
</ul>
|
||
</div>
|
||
</div>
|
||
|
||
<div class="refsect1 description" id="refsect1-function.mysql-real-escape-string-description">
|
||
<h3 class="title">说明</h3>
|
||
<div class="methodsynopsis dc-description">
|
||
<span class="methodname"><strong>mysql_real_escape_string</strong></span>
|
||
( <span class="methodparam"><span class="type">string</span> <code class="parameter">$unescaped_string</code></span>
|
||
[, <span class="methodparam"><span class="type">resource</span> <code class="parameter">$link_identifier</code><span class="initializer"> = NULL</span></span>
|
||
] ) : <span class="type">string</span></div>
|
||
|
||
<p class="para rdfs-comment">
|
||
本函数将
|
||
<code class="parameter">unescaped_string</code>
|
||
中的特殊字符转义,并计及连接的当前字符集,因此可以安全用于
|
||
<span class="function"><a href="mysql_query.html" class="function">mysql_query()</a></span>。
|
||
</p>
|
||
|
||
<p class="para">
|
||
<span class="function"><strong>mysql_real_escape_string()</strong></span> 调用mysql库的函数
|
||
mysql_real_escape_string, 在以下字符前添加反斜杠:
|
||
<em>\x00</em>, <em>\n</em>,
|
||
<em>\r</em>, <em>\</em>, <em>'</em>,
|
||
<em>"</em> 和 <em>\x1a</em>.
|
||
</p>
|
||
<p class="para">
|
||
为了安全起见,在像MySQL传送查询前,必须调用这个函数(除了少数例外情况)。
|
||
</p>
|
||
|
||
<div class="caution"><strong class="caution">Caution</strong>
|
||
<h1 class="title">安全提示: 默认字符集</h1>
|
||
<p class="para">
|
||
The character set must be set either at the server level, or with
|
||
the API function <span class="function"><a href="mysql_set_charset.html" class="function">mysql_set_charset()</a></span> for it to affect
|
||
<span class="function"><strong>mysql_real_escape_string()</strong></span>. See the concepts section
|
||
on <a href="mysqlinfo.concepts.charset.html" class="link">character sets</a> for
|
||
more information.
|
||
</p>
|
||
</div>
|
||
</div>
|
||
|
||
|
||
<div class="refsect1 parameters" id="refsect1-function.mysql-real-escape-string-parameters">
|
||
<h3 class="title">参数</h3>
|
||
<p class="para">
|
||
<dl>
|
||
|
||
|
||
<dt>
|
||
<code class="parameter">unescaped_string</code></dt>
|
||
|
||
<dd>
|
||
|
||
<p class="para">
|
||
The string that is to be escaped.
|
||
</p>
|
||
</dd>
|
||
|
||
|
||
<dt>
|
||
<code class="parameter">
|
||
link_identifier</code></dt>
|
||
<dd>
|
||
<p class="para">MySQL
|
||
连接。如不指定连接标识,则使用由 <span class="function"><a href="mysql_connect.html" class="function">mysql_connect()</a></span>
|
||
最近打开的连接。如果没有找到该连接,会尝试不带参数调用
|
||
<span class="function"><a href="mysql_connect.html" class="function">mysql_connect()</a></span>
|
||
来创建。如没有找到连接或无法建立连接,则会生成
|
||
<strong><code>E_WARNING</code></strong> 级别的错误。</p></dd>
|
||
|
||
|
||
</dl>
|
||
|
||
</p>
|
||
</div>
|
||
|
||
|
||
<div class="refsect1 returnvalues" id="refsect1-function.mysql-real-escape-string-returnvalues">
|
||
<h3 class="title">返回值</h3>
|
||
<p class="para">
|
||
Returns the escaped string, or <strong><code>FALSE</code></strong> on error.
|
||
</p>
|
||
</div>
|
||
|
||
|
||
<div class="refsect1 errors" id="refsect1-function.mysql-real-escape-string-errors">
|
||
<h3 class="title">错误/异常</h3>
|
||
<p class="para">
|
||
Executing this function without a MySQL connection present will
|
||
also emit <strong><code>E_WARNING</code></strong> level PHP errors. Only
|
||
execute this function with a valid MySQL connection present.
|
||
</p>
|
||
</div>
|
||
|
||
|
||
<div class="refsect1 examples" id="refsect1-function.mysql-real-escape-string-examples">
|
||
<h3 class="title">范例</h3>
|
||
|
||
<p class="para">
|
||
<div class="example" id="example-2163">
|
||
<p><strong>Example #1 <span class="function"><strong>mysql_real_escape_string()</strong></span> 例子</strong></p>
|
||
<div class="example-contents">
|
||
<div class="phpcode"><pre><span style="color: #000000">
|
||
<span style="color: #0000BB"><?php<br /></span><span style="color: #FF8000">// Connect<br /></span><span style="color: #0000BB">$link </span><span style="color: #007700">= </span><span style="color: #0000BB">mysql_connect</span><span style="color: #007700">(</span><span style="color: #DD0000">'mysql_host'</span><span style="color: #007700">, </span><span style="color: #DD0000">'mysql_user'</span><span style="color: #007700">, </span><span style="color: #DD0000">'mysql_password'</span><span style="color: #007700">)<br /> OR die(</span><span style="color: #0000BB">mysql_error</span><span style="color: #007700">());<br /><br /></span><span style="color: #FF8000">// Query<br /></span><span style="color: #0000BB">$query </span><span style="color: #007700">= </span><span style="color: #0000BB">sprintf</span><span style="color: #007700">(</span><span style="color: #DD0000">"SELECT * FROM users WHERE user='%s' AND password='%s'"</span><span style="color: #007700">,<br /> </span><span style="color: #0000BB">mysql_real_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$user</span><span style="color: #007700">),<br /> </span><span style="color: #0000BB">mysql_real_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$password</span><span style="color: #007700">));<br /></span><span style="color: #0000BB">?></span>
|
||
</span>
|
||
</pre></div>
|
||
</div>
|
||
|
||
</div>
|
||
</p>
|
||
<p class="para">
|
||
<div class="example" id="example-2164">
|
||
<p><strong>Example #2 <span class="function"><strong>mysql_real_escape_string()</strong></span> requires a connection example</strong></p>
|
||
<div class="example-contents"><p>
|
||
This example demonstrates what happens if a MySQL connection is not
|
||
present when calling this function.
|
||
</p></div>
|
||
<div class="example-contents">
|
||
<div class="phpcode"><pre><span style="color: #000000">
|
||
<span style="color: #0000BB"><?php<br /></span><span style="color: #FF8000">// We have not connected to MySQL<br /><br /></span><span style="color: #0000BB">$lastname </span><span style="color: #007700">= </span><span style="color: #DD0000">"O'Reilly"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$_lastname </span><span style="color: #007700">= </span><span style="color: #0000BB">mysql_real_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$lastname</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">$query </span><span style="color: #007700">= </span><span style="color: #DD0000">"SELECT * FROM actors WHERE last_name = '</span><span style="color: #0000BB">$_lastname</span><span style="color: #DD0000">'"</span><span style="color: #007700">;<br /><br /></span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">$_lastname</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">$query</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?></span>
|
||
</span>
|
||
</pre></div>
|
||
</div>
|
||
|
||
<div class="example-contents"><p>以上例程的输出类似于:</p></div>
|
||
<div class="example-contents screen">
|
||
<div class="cdata"><pre>
|
||
Warning: mysql_real_escape_string(): No such file or directory in /this/test/script.php on line 5
|
||
Warning: mysql_real_escape_string(): A link to the server could not be established in /this/test/script.php on line 5
|
||
|
||
bool(false)
|
||
string(41) "SELECT * FROM actors WHERE last_name = ''"
|
||
</pre></div>
|
||
</div>
|
||
</div>
|
||
</p>
|
||
<p class="para">
|
||
<div class="example" id="example-2165">
|
||
<p><strong>Example #3 An example SQL Injection Attack</strong></p>
|
||
<div class="example-contents">
|
||
<div class="phpcode"><pre><span style="color: #000000">
|
||
<span style="color: #0000BB"><?php<br /></span><span style="color: #FF8000">// We didn't check $_POST['password'], it could be anything the user wanted! For example:<br /></span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'username'</span><span style="color: #007700">] = </span><span style="color: #DD0000">'aidan'</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'password'</span><span style="color: #007700">] = </span><span style="color: #DD0000">"' OR ''='"</span><span style="color: #007700">;<br /><br /></span><span style="color: #FF8000">// Query database to check if there are any matching users<br /></span><span style="color: #0000BB">$query </span><span style="color: #007700">= </span><span style="color: #DD0000">"SELECT * FROM users WHERE user='</span><span style="color: #007700">{</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'username'</span><span style="color: #007700">]}</span><span style="color: #DD0000">' AND password='</span><span style="color: #007700">{</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'password'</span><span style="color: #007700">]}</span><span style="color: #DD0000">'"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">mysql_query</span><span style="color: #007700">(</span><span style="color: #0000BB">$query</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">// This means the query sent to MySQL would be:<br /></span><span style="color: #007700">echo </span><span style="color: #0000BB">$query</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">?></span>
|
||
</span>
|
||
</pre></div>
|
||
</div>
|
||
|
||
<div class="example-contents"><p>
|
||
The query sent to MySQL:
|
||
</p></div>
|
||
<div class="example-contents screen">
|
||
<div class="cdata"><pre>
|
||
SELECT * FROM users WHERE user='aidan' AND password='' OR ''=''
|
||
</pre></div>
|
||
</div>
|
||
<div class="example-contents"><p>
|
||
This would allow anyone to log in without a valid password.
|
||
</p></div>
|
||
</div>
|
||
</p>
|
||
</div>
|
||
|
||
|
||
<div class="refsect1 notes" id="refsect1-function.mysql-real-escape-string-notes">
|
||
<h3 class="title">注释</h3>
|
||
<blockquote class="note"><p><strong class="note">Note</strong>:
|
||
<p class="para">
|
||
A MySQL connection is required before using
|
||
<span class="function"><strong>mysql_real_escape_string()</strong></span> otherwise an error of
|
||
level <strong><code>E_WARNING</code></strong> is generated, and <strong><code>FALSE</code></strong> is
|
||
returned. If <code class="parameter">link_identifier</code> isn't defined, the
|
||
last MySQL connection is used.
|
||
</p>
|
||
</p></blockquote>
|
||
<blockquote class="note"><p><strong class="note">Note</strong>:
|
||
<p class="para">
|
||
If <a href="info.configuration.html#ini.magic-quotes-gpc" class="link">magic_quotes_gpc</a> is enabled,
|
||
first apply <span class="function"><a href="stripslashes.html" class="function">stripslashes()</a></span> to the data. Using this function
|
||
on data which has already been escaped will escape the data twice.
|
||
</p>
|
||
</p></blockquote>
|
||
<blockquote class="note"><p><strong class="note">Note</strong>:
|
||
<p class="para">
|
||
If this function is not used to escape data, the query is vulnerable to
|
||
<a href="security.database.sql_injection.html" class="link">SQL Injection Attacks</a>.
|
||
</p>
|
||
</p></blockquote>
|
||
<blockquote class="note"><p><strong class="note">Note</strong>:
|
||
<span class="simpara">
|
||
<span class="function"><strong>mysql_real_escape_string()</strong></span> does not escape
|
||
<em>%</em> and <em>_</em>. These are wildcards in
|
||
MySQL if combined with <em>LIKE</em>, <em>GRANT</em>,
|
||
or <em>REVOKE</em>.
|
||
</span>
|
||
</p></blockquote>
|
||
</div>
|
||
|
||
|
||
<div class="refsect1 seealso" id="refsect1-function.mysql-real-escape-string-seealso">
|
||
<h3 class="title">参见</h3>
|
||
<p class="para">
|
||
<ul class="simplelist">
|
||
<li class="member"><span class="function"><a href="mysql_set_charset.html" class="function" rel="rdfs-seeAlso">mysql_set_charset()</a> - 设置客户端的字符集</span></li>
|
||
<li class="member"><span class="function"><a href="mysql_client_encoding.html" class="function" rel="rdfs-seeAlso">mysql_client_encoding()</a> - 返回字符集的名称</span></li>
|
||
<li class="member"><span class="function"><a href="addslashes.html" class="function" rel="rdfs-seeAlso">addslashes()</a> - 使用反斜线引用字符串</span></li>
|
||
<li class="member"><span class="function"><a href="stripslashes.html" class="function" rel="rdfs-seeAlso">stripslashes()</a> - 反引用一个引用字符串</span></li>
|
||
<li class="member">The <a href="info.configuration.html#ini.magic-quotes-gpc" class="link">magic_quotes_gpc</a> directive</li>
|
||
<li class="member">The <a href="info.configuration.html#ini.magic-quotes-runtime" class="link">magic_quotes_runtime</a> directive</li>
|
||
</ul>
|
||
</p>
|
||
</div>
|
||
|
||
</div></div></div></body></html> |