real_escape_string

定義和用法

real_escape_string() / mysqli_real_escape_string()函數轉義字符串中的特殊字符，以便在SQL 查詢中使用，同時考慮連接的當前字符集。

此函數用於創建可在SQL 語句中使用的合法SQL 字符串。假設我們有以下代碼：

 <?php

$lastname = "D'Ore" ;

$sql = "INSERT INTO Persons (LastName) VALUES (' $lastname ')" ;

// 此查詢將失敗，因為我們沒有轉義$lastname
if ( ! $mysqli -> query ( $sql ) ) {
  printf ( "%d Row inserted.\n" , $mysqli -> affected_rows ) ;
}

?>

實例

例子1 - 面向對像風格

轉義字符串中的特殊字符：

 <?php
$mysqli = new mysqli ( "localhost" , "my_user" , "my_password" , "my_db" ) ;

if ( $mysqli -> connect_errno ) {
  echo "Failed to connect to MySQL: " . $mysqli -> connect_error ;
  exit ( ) ;
}

// 轉義特殊字符（如果有）
$firstname = $mysqli -> real_escape_string ( $_POST [ 'firstname' ] ) ;
$lastname = $mysqli -> real_escape_string ( $_POST [ 'lastname' ] ) ;
$age = $mysqli -> real_escape_string ( $_POST [ 'age' ] ) ;

$sql = "INSERT INTO Persons (FirstName, LastName, Age) VALUES (' $firstname ', ' $lastname ', ' $age ')" ;

if ( ! $mysqli -> query ( $sql ) ) {
  printf ( "%d Row inserted.\n" , $mysqli -> affected_rows ) ;
}

$mysqli -> close ( ) ;
?>

例子2 - 過程式風格

轉義字符串中的特殊字符：

 <?php
$con = mysqli_connect ( "localhost" , "my_user" , "my_password" , "my_db" ) ;

if ( mysqli_connect_errno ( ) ) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error ( ) ;
  exit ( ) ;
}

// 轉義特殊字符（如果有）
$firstname = mysqli_real_escape_string ( $con , $_POST [ 'firstname' ] ) ;
$lastname = mysqli_real_escape_string ( $con , $_POST [ 'lastname' ] ) ;
$age = mysqli_real_escape_string ( $con , $_POST [ 'age' ] ) ;

$sql = "INSERT INTO Persons (FirstName, LastName, Age) VALUES (' $firstname ', ' $lastname ', ' $age ')" ;

if ( ! mysqli_query ( $con , $sql ) ) {
  printf ( "%d Row inserted.\n" , mysqli_affected_rows ( $con ) ) ;
}

mysqli_close ( $con ) ;
?>