How can mysqli
This question already has an answer here:
As long as you are using mysqli_set_charset()
to set client encoding, and mysqli_real_escape_string()
is used to format strings only , it is perfectly safe.
However, if your question implied using this function right in the application code, instead of behind-the-scenes processing of placeholder-based query or at least in the form of PDO's quote()
-like function (which does escaping and quoting at once) it is straight way to injection.
It is not function itself being a problem, but the way it is used:
That's why you have to always use a placeholder to represent data in the query (while mysqli_real_escape_string can be used to process this placeholder all right)
链接地址: http://www.djcxy.com/p/93444.html上一篇: 是mysql
下一篇: 如何可以mysqli