这些mysql_real_escape_string用法是否相同?

时间:2010-11-18 20:10:51

标签: php

他们俩都一样吗?感谢。

$user = $_POST['user'];
$user = mysql_real_escape_string($user);
$result = mysql_fetch_array(mysql_query("SELECT * FROM accounts WHERE id='$user'"));

VS 

$user = $_POST['user'];
$result = mysql_fetch_array(mysql_query(sprintf("SELECT * FROM accounts WHERE id='%s'",mysql_real_escape_string($user))));

3 个答案:

答案 0 :(得分:3)

是的,这是等效的。

您可以这样验证:

$user = $_POST['user'];
$user = mysql_real_escape_string($user);
echo "SELECT * FROM accounts WHERE id='$user'";

-vs - 

$user = $_POST['user'];
echo sprintf("SELECT * FROM accounts WHERE id='%s'", mysql_real_escape_string($user));

答案 1 :(得分:1)

是的,它们是相同的

http://php.net/manual/en/function.sprintf.php

答案 2 :(得分:1)

是的,他们是等同的。通常,您将使用sprintf使代码更易于阅读,并且查询更容易修改:

$user = $_POST['user'];
$sql = sprintf("SELECT * FROM accounts WHERE id='%s'", 
    mysql_real_escape_string($user)
);
$result = mysql_fetch_array(mysql_query($sql));
相关问题
最新问题