mysqli::real_query »

« mysqli::real_connect

mysqli::real_escape_string

mysqli_real_escape_string

(PHP 5, PHP 7, PHP 8)

mysqli::real_escape_string -- mysqli_real_escape_string — 根据当前连接的字符集，对于 SQL 语句中的特殊字符进行转义

说明

面向对象风格

public mysqli::real_escape_string(string $string): string

过程化风格

mysqli_real_escape_string(mysqli $mysql, string $string): string

此函数用于创建可在 SQL 语句中使用的合法 SQL 字符串。考虑到连接的当前字符集，对指定的字符串进行编码以生成转义的 SQL 字符串。

警告

安全：默认字符集

字符集必须在服务器级别设置，或者使用 API 函数 mysqli_set_charset() 影响 mysqli_real_escape_string()。参阅字符集的概念（concepts）部分。

参数

mysql

仅以过程化样式：由 mysqli_connect() 或 mysqli_init() 返回的 mysqli 对象。

string

需要进行转义的字符串。

会被进行转义的字符包括：NUL (ASCII 0)、 \n、\r、\、 '、" 和 CTRL+Z。

返回值

返回转义后的字符串。

示例

示例 #1 mysqli::real_escape_string() 示例

面向对象风格

<?php

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

$city = "'s-Hertogenbosch";

/* 对 $city 转义，此查询运行正常 */
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'",
$mysqli->real_escape_string($city));
$result = $mysqli->query($query);
printf("Select returned %d rows.\n", $result->num_rows);

/* 未转义 $city，此查询运行失败 */
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'", $city);
$result = $mysqli->query($query);

过程化风格

<?php

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = mysqli_connect("localhost", "my_user", "my_password", "world");

$city = "'s-Hertogenbosch";

/* 对 $city 转义，此查询运行正常 */
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'",
mysqli_real_escape_string($mysqli, $city));
$result = mysqli_query($mysqli, $query);
printf("Select returned %d rows.\n", mysqli_num_rows($result));

/* 未转义 $city，此查询运行失败 */
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'", $city);
$result = mysqli_query($mysqli, $query);

以上示例的输出类似于：

Select returned 1 rows.

Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's-Hertogenbosch'' at line 1 in...

参见

mysqli_set_charset() - 设置客户端字符集

发现了问题？

了解如何改进此页面 • 提交拉取请求 • 报告一个错误

＋添加备注

用户贡献的备注 6 notes

down

dave at mausner.us ¶

13 years ago

You can avoid all character escaping issues (on the PHP side) if you use prepare() and bind_param(), as an alternative to placing arbitrary string values in SQL statements.  This works because bound parameter values are NOT passed via the SQL statement syntax.

down

Josef Toman ¶

14 years ago

For percent sign and underscore I use this:
<?php
$more_escaped = addcslashes($escaped, '%_');
?>

down

arnoud at procurios dot nl ¶

20 years ago

Note that this function will NOT escape _ (underscore) and % (percent) signs, which have special meanings in LIKE clauses. 

As far as I know there is no function to do this, so you have to escape them yourself by adding a backslash in front of them.

down

therselman at gmail dot com ¶

7 years ago

Presenting several UTF-8 / Multibyte-aware escape functions.

These functions represent alternatives to mysqli::real_escape_string, as long as your DB connection and Multibyte extension are using the same character set (UTF-8), they will produce the same results by escaping the same characters as mysqli::real_escape_string.

This is based on research I did for my SQL Query Builder class:
https://github.com/twister-php/sql

<?php
/**
 * Returns a string with backslashes before characters that need to be escaped.
 * As required by MySQL and suitable for multi-byte character sets
 * Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and ctrl-Z.
 *
 * @param string $string String to add slashes to
 * @return $string with `\` prepended to reserved characters 
 *
 * @author Trevor Herselman
 */
if (function_exists('mb_ereg_replace'))
{
    function mb_escape(string $string)
    {
        return mb_ereg_replace('[\x00\x0A\x0D\x1A\x22\x27\x5C]', '\\\0', $string);
    }
} else {
    function mb_escape(string $string)
    {
        return preg_replace('~[\x00\x0A\x0D\x1A\x22\x27\x5C]~u', '\\\$0', $string);
    }
}

?>

Characters escaped are (the same as mysqli::real_escape_string):

00 = \0 (NUL)
0A = \n
0D = \r
1A = ctl-Z
22 = "
27 = '
5C = \

Note: preg_replace() is in PCRE_UTF8 (UTF-8) mode (`u`).

Enhanced version:

When escaping strings for `LIKE` syntax, remember that you also need to escape the special characters _ and %

So this is a more fail-safe version (even when compared to mysqli::real_escape_string, because % characters in user input can cause unexpected results and even security violations via SQL injection in LIKE statements):

<?php

/**
 * Returns a string with backslashes before characters that need to be escaped.
 * As required by MySQL and suitable for multi-byte character sets
 * Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and ctrl-Z.
 * In addition, the special control characters % and _ are also escaped,
 * suitable for all statements, but especially suitable for `LIKE`.
 *
 * @param string $string String to add slashes to
 * @return $string with `\` prepended to reserved characters 
 *
 * @author Trevor Herselman
 */
if (function_exists('mb_ereg_replace'))
{
    function mb_escape(string $string)
    {
        return mb_ereg_replace('[\x00\x0A\x0D\x1A\x22\x25\x27\x5C\x5F]', '\\\0', $string);
    }
} else {
    function mb_escape(string $string)
    {
        return preg_replace('~[\x00\x0A\x0D\x1A\x22\x25\x27\x5C\x5F]~u', '\\\$0', $string);
    }
}

?>

Additional characters escaped:

25 = %
5F = _

Bonus function:

The original MySQL `utf8` character-set (for tables and fields) only supports 3-byte sequences.
4-byte characters are not common, but I've had queries fail to execute on 4-byte UTF-8 characters, so you should be using `utf8mb4` wherever possible.

However, if you still want to use `utf8`, you can use the following function to replace all 4-byte sequences.

<?php
// Modified from: https://stackoverflow.com/a/24672780/2726557
function mysql_utf8_sanitizer(string $str)
{
    return preg_replace('/[\x{10000}-\x{10FFFF}]/u', "\xEF\xBF\xBD", $str);
}
?>

Pick your poison and use at your own risk!

down

Anonymous ¶

9 years ago

If you wonder why (besides \, ' and ")  NUL (ASCII 0), \n, \r, and Control-Z are escaped: it is not to prevent sql injection, but to prevent your sql logfile to get unreadable.

down

ASchmidt at Anamera dot net ¶

3 years ago

Caution when escaping the % and _ wildcard characters. According to an often overlooked note at the bottom of:

https://dev.mysql.com/doc/refman/5.7/en/string-literals.html#character-escape-sequences

the escape sequences \% and \_ will ONLY be interpreted as % and _, *if* they occur in a LIKE! (Same for MySQL 8.0)

In regular string literals, the escape sequences \% and \_ are treated as those two character pairs. So if those escape sequences appear in a WHERE "=" instead of a WHERE LIKE, they would NOT match a single % or _ character!

Consequently, one MUST use two "escape" functions: The real-escape-string (or equivalent) for regular string literals, and an amended escape function JUST for string literals that are intended to be used in LIKE.

＋添加备注

备份地址：http://www.lvesu.com/blog/php/mysqli.real-escape-string.php