当前位置: 文江博客话题详情

PHP mysql_real_escape_string() ->; stripslashes() 留下多个斜杠

发布于 2024-08-06 06:09:24 字数 796 浏览 8 评论 0原文

我在使用 PHP/MySQL 转义/剥离字符串时遇到问题 - 似乎总是有多余的斜杠。

我们以下面的字符串为例:

<span style="text-decoration:underline;">underline</span>


将字符串添加到数据库时,我使用 mysql_real_escape_string() 对其进行转义,并将以下内容存储在数据库中(编辑:通过直接使用查询数据库来检查这一点mysql 应用程序):

<span style=\\\"text-decoration:underline;\\\">underline</span>


从数据库中读回时,我通过 stripslashes() 传递字符串,并返回以下内容:

<span style=\"text-decoration:underline;\">underline</span>


由于引号仍然被转义,它破坏了 html 并且文本没有下划线。

  1. 为什么 mysql_real_escape_string() 添加三个斜杠,而 stripslashes() 删除两个斜杠?我希望他们都添加/删除一个斜杠。
  2. 我怎样才能防止这种情况发生?
  3. 我以正确的方式处理这个问题吗?
原文

I'm having issues escaping/stripping strings with PHP/MySQL - there always seems to be redundant slashes.

Let's take the following string as an example:

<span style="text-decoration:underline;">underline</span>

When adding a string to the database, I'm escaping it with mysql_real_escape_string() and the following gets stored in the database (EDIT: checked this by querying the database directly with mysql app):

<span style=\\\"text-decoration:underline;\\\">underline</span>

When reading back out of the database, I'm passing the string through stripslashes() and the following is returned:

<span style=\"text-decoration:underline;\">underline</span>

Since the quotes are still escaped, it breaks the html and the text is not underlined.

  1. Why is mysql_real_escape_string() adding three slashes, and stripslashes() removing two slashes? I would expect them both to add/remove one slash.
  2. How can I prevent this from happening?
  3. Am I approaching this the correct way?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

丶情人眼里出诗心の 2024-08-13 06:09:24

最佳解决方案

在 php.ini 文件中,magic_quotes_gpc 指令可能设置为 on。出于安全原因应禁用此功能。如果您无权访问 php.ini 文件(例如,在共享主机上),您始终可以使用 .htaccess 指令来完成相同的操作(假设这是一个 apache 服务器)。

在 php.ini

magic_quotes_gpc Off

.htaccess 文件中:

php_flag magic_quotes_gpc Off

为什么会发生这种情况?

发生这种情况的原因是由于以下逻辑过程。

  1. 需要转义的字符串被发送到服务器。
    • 这是我的字符串。太棒了。
  2. Magic Quotes 在到达您的代码之前转义了撇号。
    • 这是我的字符串。太棒了
  3. mysql_real_escape_string 现在有两个字符需要转义,反斜杠\\ 以及撇号\'
    • 这是我的字符串。太棒了
  4. 这个新的超级转义字符串存储在数据库中。
  5. 当从数据库检索字符串时,它会被传递到 stripslashes。这会删除步骤 3 中添加的两个转义符,但由于其中一个反斜杠已被转义,stripslashes 认为它属于该反斜杠。
    • 这是我的字符串。太棒了

当您将这些字符串重新提交到数据库时,这个问题确实会变得失控,因为每次反斜杠的数量都会成倍增加。

替代解决方案

一种快速而简单的替代方案是在将字符串传递给 mysql_real_escape_string 之前简单地删除由 magic_quotes 添加的斜线。

$str = stripslashes($_POST['str']);
$str = mysql_real_escape_string($str);

Best Solution

In your php.ini file, odds are that the magic_quotes_gpc directive is set to on. This should be disabled for security reasons. If you don't have access to the php.ini file (eg. on a shared host), you can always accomplish the same using an .htaccess directive (assuming this is an apache server).

In your php.ini

magic_quotes_gpc Off

In an .htaccess file:

php_flag magic_quotes_gpc Off

Why is this happening?

The reason this is happening is due to the following course of logic.

  1. A string that needs escaping is sent to the server.
    • This is my string. It's awesome.
  2. Magic Quotes escapes the apostrophe before it gets to your code.
    • This is my string. It\'s awesome
  3. mysql_real_escape_string now has two characters to escape, the backslash \\ as well as the apostrophe \'.
    • This is my string. It\\\'s awesome
  4. This new super-escaped string is stored in the database.
  5. When the string is retrieved from the database, it get's passed to stripslashes. This removes the two escapes added in step 3, but since one of the backslashes has been escaped stripslashes thinks it belongs.
    • This is my string. It\'s awesome

This problem can really get out of hand when you re-submit these strings to the database, as each time the number of backslashes multiplies.

Alternative Solution

A quick-and easy alternative would be to simply remove the slashes added by magic_quotes before passing the string to mysql_real_escape_string.

$str = stripslashes($_POST['str']);
$str = mysql_real_escape_string($str);
回复 原文
归途 2024-08-13 06:09:24

将字符串添加到数据库时,我使用 mysql_real_escape_string() 对其进行转义,并将以下内容存储在数据库中:

下划线

不,不是。当你在sql查询中转义字符串时,它只是为了传输查询中的数据。数据库解析查询并将数据存储在数据库中,没有任何额外的斜杠。因此,当您从数据库检索数据时,您不应该取消转义任何内容。这是一个常见的误解。

如果您发现输出中有多余的斜杠,则您可能打开了魔术引号。 关闭它们

编辑:

mysql> create table foo (bar text) ;
Query OK, 0 rows affected (0.01 sec)

mysql> INSERT INTO foo (bar) VALUES ("<span style=\\\"text-decoration:underline;\\\">underline</span>");
Query OK, 1 row affected (0.00 sec)

mysql> SELECT * FROM foo;
+-------------------------------------------------------------+
| bar                                                         |
+-------------------------------------------------------------+
| <span style=\"text-decoration:underline;\">underline</span> | 
+-------------------------------------------------------------+
1 row in set (0.00 sec)

如您所见,查询比数据库中显示的数据多了一层转义,因此查询时它的结果如何。在您的情况下,可能发生的情况是,您打开了魔术引号,然后在将字符串嵌入查询之前对它们进行转义。这会导致双重转义,从而篡改您的数据。正确的解决方案是像您一样继续转义字符串,但关闭魔术引号。并且不要对来自数据库的数据执行任何操作。请注意,需要先清理系统中已有的数据。

When adding a string to the database, I'm escaping it with mysql_real_escape_string() and the following gets stored in the database:

<span style=\\\"text-decoration:underline;\\\">underline</span>

No it's not. When you escape strings in a sql query, it is only to transport the data in the query. The database parses the query and stores the data in the database, without any extra slashes. Thus, when you retrieve data from the database, you should not unescape anything. It's a common misconception.

If you find that there are excess slashes in the output, you probably have magic quotes turned on. Turn them off.

Edit:

mysql> create table foo (bar text) ;
Query OK, 0 rows affected (0.01 sec)

mysql> INSERT INTO foo (bar) VALUES ("<span style=\\\"text-decoration:underline;\\\">underline</span>");
Query OK, 1 row affected (0.00 sec)

mysql> SELECT * FROM foo;
+-------------------------------------------------------------+
| bar                                                         |
+-------------------------------------------------------------+
| <span style=\"text-decoration:underline;\">underline</span> | 
+-------------------------------------------------------------+
1 row in set (0.00 sec)

As you can see, the query has one more level of escaping than the data appears within the database and consequently how it comes out when querying for it. In your case, what is probably going on, is that you have magic quotes turned on and then you escape strings before embedding them in a query. This leads to double-escaping, tampering your data. The proper solution is to keep escaping strings as you do, but turn off magic quotes. And don't do anything on the data as it comes out of the database. Beware that data already in the system needs to be cleaned up first.

回复 原文
桃扇骨 2024-08-13 06:09:24

如果 get_magic_quotes_gpc() 在 SERVER 中关闭,因此只有

$data= mysql_real_escape_string($_POST['data']);

get_magic_quotes_gpc() 在 SERVER 中打开时我们才能使用,否则我们必须

$data= mysql_real_escape_string(stripslashes($_POST['data']));

在数据中添加两个反斜杠。

另一种解决方案是,如果我们仅使用 mysql_real_escape_string($_POST['data']);,则我们可以在从 datadase 获取时使用 stripslashes($data)

If get_magic_quotes_gpc() is off in SERVER, so only we can use

$data= mysql_real_escape_string($_POST['data']);

if get_magic_quotes_gpc() is on in SERVER, we have to use

$data= mysql_real_escape_string(stripslashes($_POST['data']));

otherwise add two backslashes with your data.

Also another solution is we can use stripslashes($data) while fetch from datadase if we use only use mysql_real_escape_string($_POST['data']);

回复 原文
~没有更多了~

关于作者

赠我空喜

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

留蓝

文章 0 评论 0

18790681156

文章 0 评论 0

zach7772

文章 0 评论 0

Wini

文章 0 评论 0

ayeshaaroy

文章 0 评论 0

初雪

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文