对 string 稍作处理, 避免在写 query 的时候被 SQL 注入, 这是常识. 我们若变更 PHP 版本, 有时候会出现 Call To Undefined Function 这样的错误. 很多时候, 我们需要做出一些兼容性的处理.

不过, 若我们是在 WordPress 的平台上写插件, 则不必这么麻烦了.

在 WordPress 环境下, 系统已经为我们提供了一些有趣的 function, 来包装这些兼容性处理. 我们只消如下 fix 即可:

- $dest = mysql_escape_string($src);
+ $dest = esc_sql($src);

这样就已经足够了.

相关代码如下:

/**
 * Escapes data for use in a MySQL query.
 *
 * Usually you should prepare queries using wpdb::prepare().
 * Sometimes, spot-escaping is required or useful. One example
 * is preparing an array for use in an IN clause.
 *
 * @since 2.8.0
 *
 * @global wpdb $wpdb WordPress database abstraction object.
 *
 * @param string|array $data Unescaped data
 * @return string|array Escaped data
 */
function esc_sql( $data ) {
        global $wpdb;
        return $wpdb->_escape( $data );
}
/**
 * Escape data. Works on arrays.
 *
 * @uses wpdb::_real_escape()
 * @since  2.8.0
 * @access private
 *
 * @param  string|array $data
 * @return string|array escaped
 */
function _escape( $data ) {
        if ( is_array( $data ) ) {
                foreach ( $data as $k => $v ) {
                        if ( is_array($v) )
                                $data[$k] = $this->_escape( $v );
                        else
                                $data[$k] = $this->_real_escape( $v );
                }
        } else {
                $data = $this->_real_escape( $data );
        }

        return $data;
}

/**
 * Real escape, using mysqli_real_escape_string() or mysql_real_escape_string()
 *
 * @see mysqli_real_escape_string()
 * @see mysql_real_escape_string()
 * @since 2.8.0
 * @access private
 *
 * @param  string $string to escape
 * @return string escaped
 */
function _real_escape( $string ) {
        if ( $this->dbh ) {
                if ( $this->use_mysqli ) {
                        return mysqli_real_escape_string( $this->dbh, $string );
                } else {
                        return mysql_real_escape_string( $string, $this->dbh );
                }
        }

        $class = get_class( $this );
        if ( function_exists( '__' ) ) {
                /* translators: %s: database access abstraction class, usually wpdb or a class extending wpdb */
                _doing_it_wrong( $class, sprintf( __( '%s must set a database connection for use with escaping.' ), $class ), E_USER_NOTICE );
        } else {
                _doing_it_wrong( $class, sprintf( '%s must set a database connection for use with escaping.', $class ), E_USER_NOTICE );
        }
        return addslashes( $string );
}

如上, 在 WordPress 上, 平台已经对此有所包装. 若自己写, 也也可以有所借鉴. 但若写 WP 插件还自己来轮子一下, 着实没什么必要.

来自的你,很高兴你能看到这儿。若本文对你有所用处,或者内容有什么不足之处,敬请毫不犹豫给个回复。谢谢!