Note the following when querying strings with single quotes and inserting strings with single quotes in Mysql:

This document describes how to use the addslashes, mysql_escape_string, and mysql_real_escape_string functions to escape the form data submitted by users.

The first thing to note is that the addslashes, mysql_escape_string, and mysql_real_escape_string functions filter data to be inserted into the database to ensure data security and prevent database attacks. So what are the differences between the three functions?

The addslashes () function adds a backslash before the specified predefined character. The predefined characters are:

Single quotes (')
Double quotation marks (")
Backslash (\)
NULL

The special characters in the strings used in the mysql_real_escape_string () function to escape SQL statements must be used (PHP 4> = 4.3.0, PHP 5.

The following characters are affected:

\ X00
\ N
\ R
\
'
"
\ X1a

If yes, the function returns the escaped string. If it fails, false is returned.

This function escapes special characters in string and considers the connected current character set. Therefore, it can be safely used for mysql_query ().

The difference between mysql_escape_string () and mysql_real_escape_string () is that the former does not consider the current character set to be connected, while the latter does. I will not talk about it here, because this method has been discarded in PHP 5.3, so it is not recommended.

At present, many PHP coder in China only rely on the addslashes function to prevent SQL statement injection, but the problem here is not comprehensive. For hackers who want to bypass the addslashes function, they can use 0xbf27 instead of the single quotation mark, while addslashes only modifies 0xbf27 to 0xbf5c27 to become a valid multi-byte character, 0xbf5c is still regarded as a single quotation mark, so addslashes cannot be intercepted successfully.

Of course, the addslashes function is not useless. It is used for processing single-byte strings. For multi-byte characters, you can use the mysql_real_escape_string function to process them.

Articles you may be interested in

• Js array to string, js string to array method summary
• Summary of the string truncation function implemented by javascript (including introduction to the use of Js to intercept Chinese characters)
• Common knowledge about Mysql INDEX OPTIMIZATION
• How to query data of mysql today, yesterday, last 7 days, last 30 days, last month, and last month
• Php converts all-round characters in a string to half-width characters.
• Case sensitivity of mysql Databases
• MySQL replace function replacement string statement usage
• SEO issues that programmers should pay attention to when developing websites