Questions about mysql_real_escape_string

Question

Questions about mysql_real_escape_string

I am developing my personal website using php. everything is fine, but I just read the manual mysql_real_escape_stringin php.net and found two things:

This function should always ( with a few exceptions ) be used to ensure data security before sending a query to MySQL.
mysql_real_escape_string () does not return % and _ . These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.

I have two questions:
1 - what are these exceptions?
2 - how to avoid these characters?

+5

php mysql wildcard escaping

undone Apr 21 '12 at 14:28

source share

3 answers

, , . , - . , , :

( ).
, , (, - " ", , ).

, $id = intval($_GET['id']), $id, .

! , , , (, , - ). "".

% _ , , , . , :

$term = $_GET['term'];
$sql = sprintf("SELECT FROM table WHERE column LIKE '%%s%'",
               mysql_real_escape_string($term));

, a % $term, , %. %, \% (\ escape- ). str_replace strtr - .

+3

Jon 21 . '12 14:34

You can write your own function;) See this thread for more details .

In addition, you can use the PDO library or any other such libraries.

+1

gopi1410 Apr 21 '12 at 14:42

source share

Your Common Sense · Accepted Answer · 2012-04-21T14:37:25+0000

( ) MySQL.

, , . , , , . : SQL-.

mysql_real_escape_string() % _. MySQL, LIKE, GRANT REVOKE.

. LIKE-, .

, LIKE,

$like = addCslashes($like,'\%_');

( - , ), C ). $like, , - , , .

Questions about mysql_real_escape_string

More articles: