mysql_real_escape_string 和单引号
我很沮丧。 我希望能够用单引号插入我的数据库名称 - 例如,O'Connor。
因此,当插入数据库时,我这样做:
$lname = mysql_real_escape_string($_POST['lname']);
然后将 $lname 插入数据库。
当它在数据库中时,它显示为奥康纳。
因此,如果我要回忆起网络应用程序中的姓氏,我将不得不使用:
$lname = stripslashes($r["lname"]);
这一切似乎都工作正常。 但是,我有一个搜索功能,可以搜索姓氏并显示结果。 当我搜索时,我必须搜索奥康纳才能得到任何结果。
你看,我搜索后,文本框自动存储刚刚搜索的值(使用会话)。 所以我的代码是这样的:
$search = mysql_real_escape_string($_GET['search']);
$_SESSION['search'] = $search;
就像我之前说的,当我搜索时,我必须使用“O\'Connor”,然后我搜索后,文本框中的值变成“O\\\\'Connor”,
这真是令人沮丧试图弄清楚这一点。 有谁知道我做错了什么? 谢谢!
编辑:
这是我的 php5.ini 文件,关于魔术引号:
; Magic quotes
;
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
但是,我的网站托管在 GoDaddy 上,我没有编辑该文件的权限:(
I'm quite frustrated. I want to be able to insert into my database names with single quotes - for example, O'Connor.
So, when inserting into the DB, I do:
$lname = mysql_real_escape_string($_POST['lname']);
And then I insert $lname into the DB.
When it's in the DB, it appears as O\'Connor.
So, if I were to recall that last name in my web application, I will have to use:
$lname = stripslashes($r["lname"]);
This all seems to work fine. However, I have a search function which will search for last names and display the results. When I search, I have to search for O\'Connor in order to get any results.
You see, after I search, the textbox automatically stores the value of what was just searched for (using sessions). So my code is this:
$search = mysql_real_escape_string($_GET['search']);
$_SESSION['search'] = $search;
Like I said before, when I search, I have to use "O\'Connor", and then after I search, the value in the textbox becomes "O\\\\'Connor"
It's been frustrating trying to figure this out. Does anyone know what I'm doing wrong? Thanks!
EDIT:
Here is my php5.ini file, regarding magic quotes:
; Magic quotes
;
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
However, my site is hosted on GoDaddy, and I do not have permissions to edit the file :(
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
听起来您的 PHP 配置中启用了 Magic Quotes 。
要检查它是否确实已启用:
要禁用,请编辑您的php.ini 文件:
或者将此行添加到您的 .htaccess:
It sounds like Magic Quotes are enabled in your PHP configuration.
To check if it's actually enabled:
To disable, edit your php.ini file:
Or add this line to your .htaccess:
魔术引号已启用。 这意味着放置在 post 或 get 或其他类似位置的任何内容都会自动转义,因此初学者不必太担心。 如果我没记错的话,它在当前版本的 PHP 中已被弃用。
您想要处理这个问题,并让脚本在任何配置中都以相同的方式运行,如下所示:
您可能需要进一步修改它以将非数字数据括在引号中,这是一种常见的变体,但我发现它最好手动放置这些引号。
Magic quotes are enabled. What this means is that anything placed in post or get or other similar locations is automatically escaped so that beginning programmers don't have to worry about it as much. It is deprecated in the current version of PHP, if I remember correctly.
What you want to do to deal with this, and have the script run the same from any configuration is the following:
You may want to further modify this to wrap non-numeric data in quotes, which is a common variation, but I find it is better to place those quotes manually.
对 fixinput 函数进行少量编辑,以检查您安装的 PHP 是否确实具有真正的转义字符串(旧版本没有):
Little edit to the fixinput function to check if your installation of PHP does indeed have real escape string (older versions don't):
我不检查
get_magic_quotes_gpc是否打开/关闭。我只是这样做
$lname = mysql_real_escape_string(stripslashes($_POST['lname']));因此,如果没有任何引用的文本,它不会删除斜杠..如果有引用,它将删除它们。这对我来说有奇效!
I dont check for
get_magic_quotes_gpcis on/off.I just do
$lname = mysql_real_escape_string(stripslashes($_POST['lname']));so if there is not any quoted text it wont strip slashes.. if there is quoted it will strip them off.and it works wonders for me!
错误! 当您使用 mysql_real_escape_string 转义字符串时,它们仅在查询中转义。 数据库解释查询,因此数据最终进入数据库,没有任何转义字符。 从数据库中提取数据时,您不必必须使用
stripslashes。 如果您认为这样做,则意味着数据库中的数据已被破坏。 很可能是因为您打开了魔术引号。您应该:
特别是,不要使用
fixinput和此处某些答案中列出的变体来创建函数。 这是解决问题的错误方法,因为它会弄乱任何不是来自 http 请求的数据。Wrong! When you escape strings with
mysql_real_escape_string, they are only escaped in the query. The database interprets the query, so the data ends up in the database without any escape-characters. You do not have to usestripslasheswhen pulling data out of the database. If you think you do, then it means that the data in your database is mangled. Most likely because you have magic quotes turned on.You should:
mysql_real_escape_string. You should do this where you are building the query.In particular, do not make a function a la the
fixinputand variants that is listed in some of the answers here. It is the wrong way to solve the problem, because it will mess up any data that doesn't come from a http-request.您需要做的就是获取搜索查询,mysql_real_escape_string 它,它应该完全没问题。 不过,做到这一点的最佳方法是永远不要存储转义的内容,而只是转义它,所有内容都会进入数据库。
相反,请执行以下操作:
All you need to do is take the search query, mysql_real_escape_string it, and it should be perfectly fine. The best way to do this though is to never store it escaped, and instead just escape it everything is goes into the database.
Instead, do this: