mysql_real_escape_string 将字符串中的特殊字符进行转义，以在 SQL 语句中使用 &mysql.alternative.note; mysqli_real_escape_string PDO::quote &reftitle.description; stringmysql_real_escape_string stringunescaped_string resourcelink_identifierNULL 考虑到连接的当前字符集，对 unescaped_string 进行特殊字符转义，以便安全地将其放置在 mysql_query 中。如果要插入二进制数据，则必须使用此函数。 mysql_real_escape_string 调用 mysql 库的函数 mysql_real_escape_string, 在以下字符前添加反斜线：\x00、\n、\r、\、'、" 和 \x1a. 在向 MySQL 发送查询之前，必须始终（有少数例外）使用此函数来确保数据的安全。 The character set must be set either at the server level, or with the API function mysql_set_charset for it to affect mysql_real_escape_string. See the concepts section on character sets for more information. &reftitle.parameters; unescaped_string The string that is to be escaped. &mysql.linkid.description; &reftitle.returnvalues; Returns the escaped string, or &false; on error. &reftitle.errors; Executing this function without a MySQL connection present will also emit E_WARNING level PHP errors. Only execute this function with a valid MySQL connection present. &reftitle.examples; ]]> This example demonstrates what happens if a MySQL connection is not present when calling this function. ]]> &example.outputs.similar; ]]> The query sent to MySQL: This would allow anyone to log in without a valid password. &reftitle.notes; A MySQL connection is required before using mysql_real_escape_string otherwise an error of level E_WARNING is generated, and &false; is returned. If link_identifier isn't defined, the last MySQL connection is used. If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks. mysql_real_escape_string does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE. &reftitle.seealso; mysql_set_charset mysql_client_encoding