注意事项:
1、It is impossible to safely escape a string without a DB connection. mysql_real_escape_string() and prepared statements need a connection to the database so that they can escape the string using the appropriate character set - otherwise SQL injection attacks are still possible using multi-byte characters.
2、If you are only testing, then you may as well use mysql_escape_string(), it's not 100% guaranteed against SQL injection attacks, but it's impossible to build anything safer without a DB connection.
3、If you must change the character set of the connection, use the mysql_set_character_set() function rather than executing a SET NAMES (or SET CHARACTER SET) statement. mysql_set_character_set() works like SET NAMES but also affects the character set used by mysql_real_escape_string(), which SET NAMES does not.
性能方面:
mysql_real_escape_string 依赖于链接,需要获取链接字符集,理论上只需要获取一次就够了,不需要服务器做额外的事情,因此和mysql_escape_string 相差无几,可以通过测试验证;(未验证,如有验证过的同学,可以回复下)
已验证:验证方法,建立mysql链接后,sleep几秒,断开网络,mysql_real_escape_string 依然可以执行,因此不依赖服务器做额外工作
set names 改变编码不可取,因为不会相应的改变mysql链接的编码,使得mysql_real_escape_string使用的字符集错误,造成潜在的安全漏洞
参考资料
https://stackoverflow.com/questions/1162491/alternative-to-mysql-real-escape-string-without-connecting-to-db
https://dev.mysql.com/doc/refman/5.5/en/mysql-real-escape-string.html