mysql escape解码_为什么强烈建议不要使用mysql_escape_string？

Why is that?

解决方案

Because there are some extremely rare encodings supported by mysql, in which mysql_escape_string will allow an SQL injection, but mysql_real_escape_string() won't.

However, as long as your encoding is either single-byte or UTF-8, there will be no harm from mysql_escape_string() ever and one can use it with no fear.

On the other hand, it is to be noted that in fact mysql_real_escape_string() won't do any good if used by itself.

It will work as desired only if mysql driver encoding was set, using mysql_set_charset() function (or by some mysql server tweak).

Otherwise it will act exactly the same way as defamed mysql_escape_string().

Also to be noted that actually both these functions are discouraged, mostly because of improper use.

And local folks do extensively push PDO prepared statements to use instead.

As you may guess by now, PDO prepared statements won't do any good if used by itself, out of the box. Some preparations have to be taken.

One have to either

turn off emulation mode which is on by default

or set an our old friend - mysql driver encoding - while such an action is only allowed in the DSN and available only since 5.3.3.

or there will be no difference between PDO and mysql_escape_string in terms of acting for some extremely rare encodings.