is this normal?

When I use mysqli->real_escape_string and add a string value to the db such as "who's", it adds the string without modifying the quote in any way. When I check the db, the value within it is "who's".

When I do not use mysqli->real_escape_string and add a string with a single quote like "who's", it just doesn't get added to the database. It is nowhere to be found.

This isn't normal, is it?


Yes, it is. It's a little difficult to answer this question in any more detailed a way than that.

real_escape_string() only escapes the data so it can be safely used in a query, it doesn't modify it in any way. When you don't escape it, the query has a syntax error in it so it fails - and the data is not inserted.

However the safest way to escape your data is to use prepared statements.


It is normal, and correct. the real_escape_string allows your string to be added to the database (including the quote). Without it, the apostrophe is interfering with the SQL, thus likely throwing an error, and that's why it's "nowhere to be found".


What real_escape_string does is, it escapes necessary characters only while adding these in the database. So it's like escaping the same type of quote in a string in PHP, for example:

$str = 'We escape single quotes like in O'Connor';

And the single quote (apostrophe) there is to prevent the code from breaking, but the string value does not actually contain it. Likewise…

INSERT INTO table (`name`) VALUES ('O'Connor')

in this example the backslash will not be inserted in the row. This is for security reasons, of course. Check Hackipedia's page to see some possible cases.

Hoping this was what you were asking.

链接地址: http://www.djcxy.com/p/93658.html

上一篇: mysqli真正的转义字符串

下一篇: 这是正常的吗?