What does mysql_real_escape_string() do with the % (percent) character and how much of a security risk does it represent (and how to fix it)?
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
From the mysql_real_escape_string() documentation:
Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.
As far as security, unless you are running a LIKE, GRANT, or REVOKE, it's a non-issue. LIKE is probably the only real concern. It's up to you how you would want to escape it in these situations.
A quick example:
"... LIKE '%" . mysql_real_escape_string($string) . "%' ..."
回答2:
It does not do nothing with % character. Why didn't you try it?
回答3:
Taken from:
http://php.net/manual/en/function.mysql-real-escape-string.php
Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.
