WordPress函数文档esc_sql()
发布于
by
SQL查询字符串处理 描述 Prepares a string for use as an SQL query…
SQL查询字符串处理
描述
Prepares a string for use as an SQL query. This function is a glorified addslashes() that works with arrays.
In 99% of cases, you can use $wpdb->prepare() instead, and that is the recommended method. This function is only for use in those rare cases where you can’t easily use $wpdb->prepare().
Note: Be careful to use this function correctly. It will only escape values to be used in strings in the query. That is, it only provides escaping for values that will be within quotes in the SQL (as in field = ‘{$escaped_value}’). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL query: ORDER BY {$escaped_value}. As such, this function does not escape unquoted numeric values, field names, or SQL keywords.
用法
<?php esc_sql( $sql ); ?>
参数
$data
(string|array) (必填) 一条转义的 SQL 查询语句。
默认值: None
返回值
(string)
转义之后适合 SQL 查询中使用的字符串。
示例
SQL 转义还是建议首选 $wpdb->prepare(),因为它可以修正一些格式方面的错误。
注意
- $wpdb->prepare() is generally preferred as it corrects some common formatting errors.
- This function was formerly just an alias for $wpdb->escape(), but that function has now been deprecated.
- It should be noted that this function will only escape values to be used in strings in the query, as shown in the above example. That is, it only provides escaping for values that will be within quotes (as in field = ‘{$escaped_value}’). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL query: ORDER BY {$escaped_value}.
历史
添加于 版本: 2.8.0
源文件
esc_sql() 函数的代码位于 wp-includes/formatting.php.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
/* ———————————-
* wordpress函数 kim收集
* ———————————- */
/**
* Escapes data for use in a MySQL query.
*
* Usually you should prepare queries using wpdb::prepare().
* Sometimes, spot-escaping is required or useful. One example
* is preparing an array for use in an IN clause.
*
* @since 2.8.0
*
* @global wpdb $wpdb
*
* @param string|array $data Unescaped data
* @return string|array Escaped data
*/
function esc_sql( $data ) {
global $wpdb;
return $wpdb->_escape( $data );
}
|
相关
like_escape(), tag_escape(), urlencode(), urlencode_deep()
See: Data Validation article for an in-depth discussion of input and output sanitization.
- esc_html()
- esc_html__()
- esc_html_e()
- esc_attr()
- esc_attr__()
- esc_attr_e()
- esc_js()
- esc_sql()
- esc_textarea()
- esc_url()
- esc_url_raw()
- 原文:http://codex.wordpress.org/Function_Reference/esc_sql
类别:WordPress函数文档、
本文收集自互联网,转载请注明来源。
如有侵权,请联系 wper_net@163.com 删除。
猜你喜欢GUESS YOU LIKE
定时任务:用ChatGPT api 以关键词和特定描述,自动写原创文章,并自动发布
朋友需要做一个用wordpress的定时任务,来做这个定时器。功能是,用ChatGPT api 以关键词和特定描述,自动写原创文章,并自动发布。他说代码的关键在于,需要定时自动发布不会写?看看下面的代码,我利用wordpress自带的定时任务函数wp_schedule_event()搞定,当然,关于GPT api 的使用,我就不赘述了。
最后更新
评论功能已经关闭!