esc_sql()SQL查询字符串处理

目录

描述

Prepares a string for use as an SQL query. This function is a glorified addslashes() that works with arrays.

In 99% of cases, you can use $wpdb->prepare() instead, and that is the recommended method. This function is only for use in those rare cases where you can't easily use $wpdb->prepare().

Note: Be careful to use this function correctly. It will only escape values to be used in strings in the query. That is, it only provides escaping for values that will be within quotes in the SQL (as in field = '{$escaped_value}'). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL query: ORDER BY {$escaped_value}. As such, this function does not escape unquoted numeric values, field names, or SQL keywords.

esc_sql() 描述

用法

 <?php esc_sql$sql ); ?> 

esc_sql() 用法

参数

$data

(string|array) (必填) 一 转义的 SQL 查询语句。

默认值: None

esc_sql() 参数

返回值

(string)

 义之  合 SQL 查询中 用的字符 

esc_sql() 返回值

示例

SQL 转义还是建议首选 $wpdb->prepare(),因为它 以修正一些格式方面的错误。

esc_sql() 示例

注意

  • $wpdb->prepare() is generally preferred as it corrects some common formatting errors.
  • This function was formerly just an alias for $wpdb->escape(), but that function has now been deprecated.
  • It should be noted that this function will only escape values to be used in strings in the query, as shown in the above example. That is, it only provides escaping for values that will be within quotes (as in field = '{$escaped_value}'). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL query: ORDER BY {$escaped_value}.

esc_sql() 注意

历史

添加于 版本: 2.8.0

esc_sql() 历史

源文件

esc_sql() 函数的代码位于 wp-includes/formatting.php.

esc_sql() 源文件

相关