Find centralized, trusted content and collaborate around the technologies you use most.
Teams
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
为清楚起见,任何人都可以解释为什么mysqli_real_escape_string必须阅读:
mysqli_real_escape_string
$query = mysqli_real_escape_string($conn,"SELECT * FROM tbl");
而不仅仅是:
$query = mysqli_real_escape_string("SELECT * FROM tbl");
谢谢你的帮助!
因为字符集编码。
没有$conn,mysqli_real_escape_string()将无法检测连接使用的字符编码,并且会盲目地尝试逃避常见的危险字符 - 留下一些潜在危险的字符集黑客攻击。
$conn
mysqli_real_escape_string()
真实的(非模拟的)预处理语句更好(或者更安全,如您所愿),因为它们考虑了列的字符编码而不是连接。