Note the following when querying strings with single quotes and inserting strings with single quotes in Mysql:

Source: Internet
Author: User
Tags array to string mysql index

This document describes how to use the addslashes, mysql_escape_string, and mysql_real_escape_string functions to escape the form data submitted by users.

The first thing to note is that the addslashes, mysql_escape_string, and mysql_real_escape_string functions filter data to be inserted into the database to ensure data security and prevent database attacks. So what are the differences between the three functions?

The addslashes () function adds a backslash before the specified predefined character. The predefined characters are:

Single quotes (')
Double quotation marks (")
Backslash (\)
NULL

The special characters in the strings used in the mysql_real_escape_string () function to escape SQL statements must be used (PHP 4> = 4.3.0, PHP 5.

The following characters are affected:

\ X00
\ N
\ R
\
'
"
\ X1a

If yes, the function returns the escaped string. If it fails, false is returned.

This function escapes special characters in string and considers the connected current character set. Therefore, it can be safely used for mysql_query ().

The difference between mysql_escape_string () and mysql_real_escape_string () is that the former does not consider the current character set to be connected, while the latter does. I will not talk about it here, because this method has been discarded in PHP 5.3, so it is not recommended.

At present, many PHP coder in China only rely on the addslashes function to prevent SQL statement injection, but the problem here is not comprehensive. For hackers who want to bypass the addslashes function, they can use 0xbf27 instead of the single quotation mark, while addslashes only modifies 0xbf27 to 0xbf5c27 to become a valid multi-byte character, 0xbf5c is still regarded as a single quotation mark, so addslashes cannot be intercepted successfully.

Of course, the addslashes function is not useless. It is used for processing single-byte strings. For multi-byte characters, you can use the mysql_real_escape_string function to process them.

Articles you may be interested in
  • Js array to string, js string to array method summary
  • Summary of the string truncation function implemented by javascript (including introduction to the use of Js to intercept Chinese characters)
  • Common knowledge about Mysql INDEX OPTIMIZATION
  • How to query data of mysql today, yesterday, last 7 days, last 30 days, last month, and last month
  • Php converts all-round characters in a string to half-width characters.
  • Case sensitivity of mysql Databases
  • MySQL replace function replacement string statement usage
  • SEO issues that programmers should pay attention to when developing websites

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.