使用准备好的语句时是否需要 mysql_real_escape_string() ?

对于这个查询,是否需要使用mysql_real_escape_string?

For this query, is necessary to use mysql_real_escape_string?

有任何改进或查询没问题吗?

Any improvement or the query is fine ?

$consulta = $_REQUEST["term"]."%";

($sql = $db->prepare('select location from location_job where location like ?'));

$sql->bind_param('s', $consulta);
$sql->execute();
$sql->bind_result($location);

$data = array();

while ($sql->fetch()) {
    $data[] = array('label' => $location);
}

在这种情况下,查询速度很重要.

The query speed is important in this case.

推荐答案

不,准备好的查询(如果使用得当)将确保数据正确转义以进行安全查询.你有点正确地使用它们,只需要改变一件小事.因为您正在使用?"占位符,最好通过execute方法传递参数.

No, prepared queries (when used properly) will ensure data is properly escaped for safe querying. You are kind of using them properly, just need change one little thing. Because you are using the '?' placeholder, it is better to pass params through the execute method.

$sql->execute(array($consulta));

如果您将其输出到您的页面,请务必小心,数据库清理并不意味着它可以安全地在 HTML 中显示,因此也可以在其上运行 htmlspecialchars().

Just be careful if you're outputting that to your page, database sanitization does not mean it will be safe for display within HTML, so run htmlspecialchars() on it as well.

相关文章