Difference between quotation marks and no quotation marks in Mysql Query
When the database field ID is an integer
Select ID from table where ID = 1
And
Select ID from table where ID = '1'
Both SQL statements are acceptable, but the first SQL statement does not require implicit conversion, which is faster than the second SQL statement.
When I inserted a string with single quotation marks into the mysql database today, nothing was reported, that is, the statement execution failed. I learned that single quotation marks and other escape functions can be used: mysql_real_escape_string and addslashes functions;
The following section describes how to escape data before inserting data into a database.
This article demonstrates the differences between addslashes and mysql_real_escape_string. Although many PHP coders in China still rely on addslashes to prevent SQL injection, I suggest you strengthen Chinese characters to prevent SQL injection. The problem with addslashes is that hackers can use 0xbf27 to replace single quotes, while addslashes only modifies 0xbf27 to 0xbf5c27 to be a valid multi-byte character, where 0xbf5c is still regarded as single quotes, therefore, addslashes cannot be intercepted.
Of course, addslashes is not useless either. It is used for processing single-byte strings and mysql_real_escape_string is used for multi-byte characters.
In addition, the example of get_magic_quotes_gpc in the php manual is as follows:
Copy codeThe Code is as follows:
<? Php
If (! Get_magic_quotes_gpc ()){
$ Lastname = addslashes ($ _ POST ["lastname"]);
} Else {
$ Lastname = $ _ POST ['lastname'];
}
?>
If magic_quotes_gpc is enabled, check $ _ POST ['lastname.
Let's talk about the differences between the two functions mysql_real_escape_string and mysql_escape_string:
Mysql_real_escape_string can be used only when (PHP 4> = 4.3.0, PHP 5. Otherwise, only mysql_escape_string can be used. The difference between the two is:
Mysql_real_escape_string considers the current character set to be connected, while mysql_escape_string does not.
To sum up:
Addslashes () is forcibly added;
Mysql_real_escape_string () will judge the character set, but there are requirements for the PHP version;
Mysql_escape_string does not consider the connected current character set.