pg_escape_string

    (PHP 4 >= 4.2.0, PHP 5, PHP 7, PHP 8)

    pg_escape_string 转义字符串以供查询

    说明

    pg_escape_string(PgSql\Connection $connection = ?, string $data): string

    pg_escape_string() 转义用于查询数据库的字符串。它返回不带引号的 PostgreSQL 格式的转义字符串。pg_escape_literal() 是为 PostgreSQL 转义 SQL 参数的首选方法。addslashes() 不得与 PostgreSQL 一起使用。如果列的类型是 bytea,则必须改用 pg_escape_bytea()pg_escape_identifier() 必须用于转义标识符(例如表名、字段名)

    注意:

    本函数需要 PostgreSQL 7.2 及其更高版本。

    参数

    connection

    An PgSql\Connection instance. When connection is unspecified, the default connection is used. The default connection is the last connection made by pg_connect() or pg_pconnect().

    警告

    As of PHP 8.1.0, using the default connection is deprecated.

    data

    包含要转义的 string

    返回值

    包含转义数据的 string

    更新日志

    版本 说明
    8.1.0 现在 connection 参数接受 PgSql\Connection 实例,之前接受 resource

    示例

    示例 #1 pg_escape_string() 示例

    <?php
    // 连接到数据库
    $dbconn = pg_connect('dbname=foo');

    // 读入文本文件(包含撇号和反斜线)
    $data = file_get_contents('letter.txt');

    // 转义文本数据
    $escaped = pg_escape_string($data);

    // 将其插入数据库
    pg_query("INSERT INTO correspondence (name, data) VALUES ('My letter', '{$escaped}')");
    ?>

    参见

    改进此页面

    了解如何改进此页面提交拉取请求报告一个错误
    添加备注

    用户贡献的备注 7 notes

    up
    5
    strata_ranger at hotmail dot com
    14 years ago
    Forthose curious, the exact escaping performed on the string may vary slightly depending on your database configuration.

    For example, if your database's standard_conforming_strings variable is OFF, backslashes are treated as a special character and pg_escape_string() will ensure they are properly escaped. If this variable is ON, backslashes will be treated as ordinary characters, and pg_escape_string() will leave them as-is. In either case, the behavior matches the configuration of the database connection.
    up
    3
    ringerc at ringerc dot id dot au
    10 years ago
    You should prefer to use pg_query_params, i.e. use parameterized queries, rather than using pg_escape_string. Or use the newer PDO interface with its parameterized query support.

    If you must substitute values directly, e.g. in DDL commands that don't support execution as parameterized queries, do so with pg_escape_literal:

    http://au1.php.net/manual/en/function.pg-escape-literal.php

    Identifiers can't be used as query parameters. Always use pg_escape_identifier for these if they're substituted dynamically:

    http://au1.php.net/manual/en/function.pg-escape-identifier.php

    You should not need to change text encodings when using this function. Make sure your connection's client_encoding is set to the text encoding used by PHP, and the PostgreSQL client driver will take care of text encodings for you. No explicit utf-8 conversions should be necessary with a correctly set client_encoding.
    up
    2
    Nathan Bruer
    16 years ago
    If your database is a UTF-8 database, you will run into problems trying to add some data into your database...

    for securty issues and/or compatability you may need to use the: utf_encode() (http://php.net/utf8-encode) function.

    for example:
    <?php
    $my_data     = pg_escape_string(utf8_encode($_POST['my_data']));
    ?>
    up
    0
    ppp
    13 years ago
    pg_escape_string() won't cast array arguments to the "Array" string like php usually does; it returns NULL instead. The following statements all evaluate to true:

    <?php
    $a     = array('foo', 'bar');

    "$a" == 'Array';
    (string)    $a == 'Array';
    $a . '' == 'Array';

    is_null(pg_escape_string($a));
    ?>
    up
    0
    johniskew2 at yahoo dot com
    18 years ago
    For those who escape their single quotes with a backslash (ie \') instead of two single quotes in a row (ie '') there has recently been a SERIOUS sql injection vulnerability that can be employed taking advantage of your chosen escaping method. More info here: http://www.postgresql.org/docs/techdocs.50
    Even after the postgre update, you may still be limited to what you can do with your queries if you still insist on backslash escaping. It's a lesson to always use the PHP functions to do proper escaping instead of adhoc addslashes or magic quotes escaping.
    up
    0
    meng
    18 years ago
    Since php 5.1 the new function pg_query_params() was introduced. With this function you can use bind variables and don't have to escape strings. If you can use it, do so. If unsure why, check the changelog for Postgres 8.0.8.
    up
    0
    otix
    18 years ago
    Creating a double-tick is just fine. It works the same as the backslash-tick syntax. From the PostgreSQL docs:

    The fact that string constants are bound by single quotes presents an obvious semantic problem, however, in that if the sequence itself contains a single quote, the literal bounds of the constant are made ambiguous. To escape (make literal) a single quote within the string, you may type two adjacent single quotes. The parser will interpret the two adjacent single quotes within the string constant as a single, literal single quote. PostgreSQL will also allow single quotes to be embedded by using a C-style backslash.
    添加备注
    To Top