問題描述
對(duì)于這個(gè)查詢,是否需要使用mysql_real_escape_string?
For this query, is necessary to use mysql_real_escape_string?
有任何改進(jìn)或查詢沒問題嗎?
Any improvement or the query is fine ?
$consulta = $_REQUEST["term"]."%";
($sql = $db->prepare('select location from location_job where location like ?'));
$sql->bind_param('s', $consulta);
$sql->execute();
$sql->bind_result($location);
$data = array();
while ($sql->fetch()) {
$data[] = array('label' => $location);
}
在這種情況下,查詢速度很重要.
The query speed is important in this case.
推薦答案
不,準(zhǔn)備好的查詢(如果使用得當(dāng))將確保數(shù)據(jù)正確轉(zhuǎn)義以進(jìn)行安全查詢.你有點(diǎn)正確地使用它們,只需要改變一件小事.因?yàn)槟谑褂?"占位符,最好通過execute方法傳遞參數(shù).
No, prepared queries (when used properly) will ensure data is properly escaped for safe querying. You are kind of using them properly, just need change one little thing. Because you are using the '?' placeholder, it is better to pass params through the execute method.
$sql->execute(array($consulta));
如果您將其輸出到您的頁面,請(qǐng)務(wù)必小心,數(shù)據(jù)庫(kù)清理并不意味著它可以安全地在 HTML 中顯示,因此也可以在其上運(yùn)行 htmlspecialchars().
Just be careful if you're outputting that to your page, database sanitization does not mean it will be safe for display within HTML, so run htmlspecialchars() on it as well.
這篇關(guān)于使用準(zhǔn)備好的語句時(shí)是否需要 mysql_real_escape_string() ?的文章就介紹到這了,希望我們推薦的答案對(duì)大家有所幫助,也希望大家多多支持html5模板網(wǎng)!