在我们的上一集中，< 47 ******* ****************@news.sunsite.dk&gt ;,可爱的

以及comp.lang.php上有才华的ndlarsen广播：

您好。

自从我使用php以来已经有一段时间了。从那时起，魔法引用已被弃用，并且在PHP 6.0点击时将被删除。我的问题是，在将数据提交到数据库时，我应该使用什么？b $ b？出于安全原因，adslashes（）或mygql_real_escape_string（）更好？
？

请参阅

手册中有关mysql_real_escpae_string的文章中的***做法示例。为了便于携带，您需要检查魔术引号是否为
，如果是，则将其反转。如果可移植性不是一个问题而且你自己的机器是你的b
$你可以关闭魔术报价并保存几步。


mysql_real_escpae_string需要一个数据库连接并且如果找不到明确的链接或默认的先前

链接，将尝试建立一个
。然后，最方便的时候是在数据库中输入

数据之前。

-

Lars Eighner< http://larseighner.com/ us****@larseighner.com

倒计时：299几天。

ndlarsen写道：

我的问题是，提交数据时我应该使用什么到一个

数据库而不是？出于安全原因哪个更好，addslashes（）或

mygql_real_escape_string（）？

取决于您使用的数据库。如果你使用MySQL，mysql_real_escape_string（）是一个很好的解决方案，因为它使用特定于编码的

技术。


某些其他数据库模块提供类似的功能。对于那些不能使用的
，addslashes（）可以作为最后的手段使用。


***的解决方案是使用PDO和预处理语句。


-

Toby A Inkster BSc（荣誉）ARCS

[极客HTML / SQL / Perl / PHP / Python / Apache / Linux]

[操作系统：Linux 2.6.17.14-mm-desktop-9mdvsmp，上涨20:40。]


Best ...新闻......故事......永远！
http://tobyinkster.co.uk/blog/2008/03/23/hypnotist/

感谢您的回复。

取决于您正在使用的数据库。如果您使用MySQL，mysql_real_escape_string（）是一个很好的解决方案，因为它使用特定于编码的

技术。

很抱歉，我应该提到它是一个MySQL数据库。

***解决方案虽然是使用PDO和准备好的声明。

你在这里迷失了我。


问候


ndlarsen

Hello.

It''s been a while since I used php. Since then magic quotes has been
deprecated and will be removed when php 6.0 hits. My question is, what
should I be using when submitting data to a database instead? Which is
better for security reasons, addslashes() or mygql_real_escape_string()?

Thanks you.

Regards

ndlarsen

In our last episode, <47***********************@news.sunsite.dk>, the lovely
and talented ndlarsen broadcast on comp.lang.php:

Hello.

It''s been a while since I used php. Since then magic quotes has been
deprecated and will be removed when php 6.0 hits. My question is, what
should I be using when submitting data to a database instead? Which is
better for security reasons, addslashes() or mygql_real_escape_string()?

See the best practices example in the article on mysql_real_escpae_string in
the manual. For portability you need to check for whether magic quotes are
on and reverse them if they are. If portability is not a concern and it is
your own machine, you can turn magic quotes off and save a few steps.

mysql_real_escpae_string requires a database connection and will attempt to
establish one if it cannot find an explicit link or the default previous
link. The most convenient time, then, to apply it is just before entering
the data in the database.
--
Lars Eighner <http://larseighner.com/us****@larseighner.com
Countdown: 299 days to go.

ndlarsen wrote:

My question is, what should I be using when submitting data to a
database instead? Which is better for security reasons, addslashes() or
mygql_real_escape_string()?

Depends on what database you''re using. mysql_real_escape_string() is a
good solution if you''re using MySQL, because it uses encoding-specific
techniques.

Some of the other database modules provide similar functions. For those
that don''t, addslashes() can be used as a last resort.

The best solution though is to use PDO and prepared statements.

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 20:40.]

Best... News... Story... Ever!
http://tobyinkster.co.uk/blog/2008/03/23/hypnotist/

I appreciate your reply.

Depends on what database you''re using. mysql_real_escape_string() is a
good solution if you''re using MySQL, because it uses encoding-specific
techniques.

Sorry about that, I should have mentioned that it is a MySQL database.

The best solution though is to use PDO and prepared statements.

You sort of lost me here.

Regards

ndlarsen