mysql_set_charset(PHP 5 >= 5.2.3)mysql_set_charset — Sets the client character set
Description
bool mysql_set_charset ( string $charset [, resource $link_identifier ] )Sets the default character set for the current connection.
Parameterscharset A valid character set name.
link_identifier The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If by chance no connection is found or established, an E_WARNING level error is generated.
http://cn.php.net/manual/en/mysqli.set-charset.php至于为什么mysql_query("set names xxx")存在漏洞,说起来就比较复杂了,一句话就是:某些编码里,\会作为字符的一部分,导致串解析异常。mysqli_set_charset的作用是除了client,connection,result之外,还设置了mysql的某个内部结构的charset。不要再使用set names了,也不要再叫别人去使用它了红字的部分具体指的设的是哪个?
addslashes(PHP 4, PHP 5)addslashes — Quote string with slashes
Description
string addslashes ( string $str )Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
mysql_real_escape_string(PHP 4 >= 4.3.0, PHP 5)mysql_real_escape_string — Escapes special characters in a string for use in a SQL statement
Description
string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )Escapes special characters in the unescaped_string , taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.ysql_real_escape_string — 转义 SQL 语句中使用的字符串中的特殊字符,并考虑到连接的当前字符集
说明
string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )本函数将 unescaped_string 中的特殊字符转义,并计及连接的当前字符集,因此可以安全用于 mysql_query()。
总结一下了第一:mysql_set_charset(PHP 5 >= 5.2.3) ,PHP大于这个版本的,用这个函数,这个函数调用的是mysql里的mysql_set_character_set(MySQL 5.0.7以上才有)
如果你的版本均达到上述,用这个第二:mysql_real_escape_string 优于addslashes
mysql_real_escape_string考虑到字符集的问题
没有看底层代码,查根据上面手册文档 mysql_real_escape_string最好与mysql_set_charset一起使用
因为都涉及字符集的问题,mysql_set_charset而是设字符集的
* 这个MySQL结构,有一个成员,叫charset。
* 在MySQL的多字节处理里有一个叫做handler的概念。每种字符集,都有自己的handler,用来判断多字节等。
* MySQL.charset的作用,就是某些情况下,告诉mysql调用哪个handler。例如MySQL.charset="gbk"就调用gbk的那些handler