PHP - 单引号过滤
我有一些 HTML 代码保存在 PHP 字符串中,
$str = "<font size=2 color=#e0e0e0>you don't have a clue</font>";
我必须将此字符串写入数据库,因此 $str 必须成为查询的一部分..
现在无论我的查询如何...只要它工作正常因为字符串中没有 '单引号...
以下两个中的任何一个都可以解决我的问题
一些内置方法解析 PHP 字符串并从中删除所有
'单引号...我记得在访问时提到过这样的函数通过SQL注入。- 如何允许
'单引号通过查询提交到数据库而不更改查询,即如何使该查询工作
$str = "不要";mysql_query("更新内容SET text='".$str."' WHERE p_ID='1');- 如何允许
注意:
- 我们不能让用户来处理它或遵循某种技术来处理它已成功
'提交, $str来自用户输入...我正在使用WMD和PHP Markdown,所以现在你知道问题出在哪里了......
i have some HTML code saved in a PHP string
$str = "<font size=2 color=#e0e0e0>you don't have a clue</font>";
i have to write this string to DB so the $str has to become part of the query..
now whatever my query... its working fine as long as there are no 'SINGLE QUOTES in the string....
any of the following two will solve my problem
some built-in method parse a PHP string and remove all the
'SINGLE QUOTES from it... i remember mention of such a function while going through SQL Injection.- How to allow
'SINGLE QUOTES submitted to DB via Query without altering Query i.e how to make this query work
$str = "Don't";mysql_query("UPDATE content SET text='".$str."' WHERE p_ID='1');- How to allow
NOTE:
- we can't have users to take care of it or follow a technique to have successfull
'submission - the
$strcomes from user input... i am using WMD and PHP Markdown, so now you know where the problem is...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
使用
mysql_real_escape_string:在将用户输入提交到数据库之前不转义用户输入是一个安全漏洞,它允许用户注入定制的查询块,该块将改变您的原始查询,并与其一起执行。这不仅是为了允许合法用户提交包含单引号的内容,也是为了防止邪恶用户 sql-注入我们的查询。
Use
mysql_real_escape_string:Not escaping user inputs before submitting them to the database, is a security hole, it allows users to inject a tailored query chunk that will alter your original query, and execute along with it. It's not just to allow legitimate users to submit content that includes single quotations, but also to prevent evil users from sql-injecting our queries.
您应该真正考虑使用 PDO 和 参数化查询。
You should really think about using PDO and parameterized queries.