我正在重写 Web 应用程序,想知道mysqli_real_escape_string
函数是否执行客户端-服务器往返?
我像这样使用它.
<?php
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s'n", mysqli_connect_error());
exit();
}
mysqli_query($link, "CREATE TEMPORARY TABLE myCity LIKE City");
$city = "'s Hertogenbosch";
/* this query will fail, cause we didn't escape $city */
if (!mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("Error: %s'n", mysqli_sqlstate($link));
}
$city = mysqli_real_escape_string($link, $city);
/* this query with escaped $city will work */
if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("%d Row inserted.'n", mysqli_affected_rows($link));
}
mysqli_close($link);
?>
mysqli_real_escape_string客户端-服务器往返吗?
因此,如果我使用 4 次mysqli_real_escape_string,那么会有 4 次客户端-服务器往返吗?
根据以下源代码: https://github.com/php/php-src/blob/master/ext/mysqli/mysqli_api.c
mysqli_real_escape_string
打电话给mysql_real_escape_string
.
PHP_FUNCTION(mysql_real_escape_string(定义如下:https://github.com/php/php-src/blob/master/ext/mysql/php_mysql.c
它从mysql库中调用mysql_real_escape_string
。 http://dev.mysql.com/doc/refman/5.5/en/mysql-real-escape-string.html
抱歉,我无法访问 launchpad.net mysql 源代码,但我在推特 mysql 源代码 https://github.com/twitter/mysql/blob/master/libmysql/libmysql.c
并看到了这个:
ulong STDCALL
mysql_real_escape_string(MYSQL *mysql, char *to,const char *from,
ulong length)
{
if (mysql->server_status & SERVER_STATUS_NO_BACKSLASH_ESCAPES)
return (uint) escape_quotes_for_mysql(mysql->charset, to, 0, from, length);
return (uint) escape_string_for_mysql(mysql->charset, to, 0, from, length);
}
escape_quotes_for_mysql
和escape_string_for_mysql
是在charset.c中定义的,它们不会向远程MySQL服务器发送任何信息。
到底部,我可以说:mysqli_real_escape_string
不做客户端-服务器往返。