我应该使用PDO来清理我的Sql查询还是“mysql_real_escape_string”？

I have a simple classifieds website...

我有一个简单的分类网站...

Classifieds are inserted into MySql tables and the only thing I use to sanitize user input is mysql_real_escape_string.

分类被插入到MySql表中，我用来清理用户输入的唯一东西是mysql_real_escape_string。

Is this enough?

这够了吗？

The PDO is the best way offcourse, but what IS actually the difference between using only mysql_real_escape_string and PDO, in lets say this query:

PDO是最好的秘密方式，但实际上只使用mysql_real_escape_string和PDO之间的区别是，让我们说这个查询：

   SELECT * FROM table_name WHERE table_name.classified = '$classified';

要么

   INSERT INTO table_name (input1, input2) VALUES ('$input1', $input2);

Thanks

谢谢

2 个解决方案

#1

There is some pretty thorough info in this previous question: Why is PDO better for escaping MySQL queries/querystrings than mysql_real_escape_string?

在上一个问题中有一些非常全面的信息：为什么PDO比mysql_real_escape_string更好地逃避MySQL查询/查询字符串？

Basically, mysql_real_escape_string() gets the job done unless you want to rework (and possibly simplify) all your database interactions.

基本上，mysql_real_escape_string（）可以完成工作，除非您想要返工（并可能简化）所有数据库交互。

#2

I think mysql_real_escape_string is enough for storing in the database and warding against any sql injection attack. But other validation is a good idea to have just so that your dataset is more regular and less prone to contain junk.

我认为mysql_real_escape_string足以存储在数据库中并防范任何sql注入攻击。但是其他验证是一个好主意，只是为了使您的数据集更加规则并且不太容易包含垃圾。

For presenting any of this data, filtering (ala Drupal style etc. ) It's a good idea too.

为了呈现任何这些数据，过滤（ala Drupal风格等）这也是一个好主意。

#1