mysql_real_escape_string &斜线
首先是魔术引言和运行时在 php.ini 中正确禁用,并由 phpinfo() 确认。
PHP version: 5.3.4
MySQL version: 5.1.52
我只在数据上使用 mysql_real_escape_string ,在 htmlspecialchars 和修剪之后,这就是变量上的所有数据清理。
然而,当我提交单引号时,斜线仍保留在数据库中。
运行 mysql_query 时,我使用 "' . $var . '",尽管在过去这没有改变任何东西(可能是由于双引号?) 。
有什么想法吗?请不要告诉我有关 PDO/准备好的声明,我知道它们,并且我有这样做的理由。
谢谢!
代码示例(这是对数据所做的唯一操作):
mysql_real_escape_string( htmlspecialchars( trim( $data ) ) );
Firstly magic quotes & runtime are disabled correctly in php.ini, and confirmed by phpinfo().
PHP version: 5.3.4
MySQL version: 5.1.52
I'm only using mysql_real_escape_string on the data, after htmlspecialchars and a trim, that's all the data cleaning on the variable.
Yet, when I submit a single quote, the slash remains in the database.
When running mysql_query I'm using "' . $var . '", although in the past this hasn't changed anything (could be due to the double quotes?).
Any ideas? and please don't tell me about PDO/prepared statements, I'm aware of them and I have my reasons for doing it this way.
Thanks!
Code example (this is the only thing done to the data):
mysql_real_escape_string( htmlspecialchars( trim( $data ) ) );
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
否。仅使用
mysql_real_escape_string在数据库中存储数据。存储数据时不要损坏数据。函数
htmlspecialchars用于将字符串编码为 HTML(<变为<等),它只能用于这个目的。No. Only use
mysql_real_escape_stringfor storing data in the database. Don't mangle your data when you store it.The function
htmlspecialcharsis used to encode a string to HTML (<becomes<etc.) and it should only be used for this purpose.也许这个被严重误导、无益且具有破坏性的选项
已经启用?
您可以在 phpinfo() 的输出中检查这一点,但如果服务器管理员已全局启用它而无法覆盖,则您无能为力。
我建议检查它是否打开(当然在应用程序的每个页面上),如果是,则导致应用程序快速而痛苦地死亡,以确保避免数据损坏(这主要表现为您所描述的反斜杠的扩散)。
然后带着你选择的钝器去服务器管理员的房子。
希望你能在你的数据库被大量邪恶的自增反斜杠淹没之前完成这一切。
Perhaps the massively misguided, unhelpful and damaging option
Has been enabled?
You can check that in the output of phpinfo(), but there's not a lot you can do if the server admin has enabled it globally without the ability to overrride.
I recommend checking if it's on (on every page of the app of course), and if so, causing the application to die quickly and painfully to ensure that you avoid data corruption (which chiefly manifests itself as the proliferation of backslashes you described).
Then go around to the server admin's house with a blunt weapon of your choice.
Hopefully you can do all this before your database becomes overrun with hoards of evil self-multiplying backslashes.
您的存储过程是正确的。 (尽管可能不需要 htmlspecialchars 和/或修剪 - 但我不知道您的应用程序)
从您提供的信息来看,没有理由看出您的问题。
下一个调试方法将记住您的系统上可能更改或已经更改的任何其他内容(也许您正在使用某些第 3 方安装映像?)。
如果失败了,那就只能胡乱猜测可能的原因,为此我将提供第一个原因:
mysql 可能在 NO_BACKSLASH_ESCAPES - 模式,这会导致反斜杠被视为常规字符。
此外,看起来您正在将字符串括在双引号中,然后将单引号(通常会被转义)直接插入到数据库中,前面带有反斜杠。
也很可能 - 当你在 sql 语句中用双引号包裹你的字符串时,这不是它应该的样子,我很困惑你没有得到语法违规错误,你最终会得到一些像这样的查询
"john\'s house"这是由从 mysql_real_escape 转义的单引号引起的,如果您的查询正确地用单引号括起来,那么这将是正确的。这引出了我的问题。尝试插入双引号时是否出现语法错误(或注入的查询)?
至于你的评论。您可以很好地使用 pdo 准备语句,然后从中获取查询字符串,并使用 mysql 函数执行它们。但我意识到这并不能解决你的问题。
还请尝试将整个查询仅放入一个变量中,并在执行之前直接打印出来。然后看一下它并按照任何错误的操作返回操作来生成字符串。
your storing procedure is correct. (altough htmlspecialchars and/or trim is probably not needed - but i dunno about your application)
from the information you are providing there is no reason to be seen for your problem.
the next debugging approach would then be remembering whatever else you may changed or has been changed on your system (maby you are using some 3rd party installation image?).
if that fails ie is left to wild guessing possible causes, for which i will offer a first one:
mysql could be running in NO_BACKSLASH_ESCAPES -mode, which would cause backlashes to be treated as regular characters.
furthermore it looks like you are wrapping your strings in double quotes, which would then insert a single quote - which usually gets escaped - straight into your database, preceded by a backslash.
it may very likely be also possible that - as you are wrapping your strings with double quotes inside your sql statements, which is not how it should be like and i am baffled you dont get a syntax violation error, you end up with some query like
"john\'s house"which is caused by the single quote escaping from mysql_real_escape, which would be correct if you had your query correctly wrapped by single quotes.which leads me to the question. do you get a syntax error (or an injected query) when trying to insert double quotes?
as for your comment. you could very well prepare statements with pdo and, then get the query string form it, and execute them using mysql functions. however i realise that this is no solution to your problem.
please also try putting your whole query in only one variable and print that out directly before executing it. then have a look at it and follow any wrong manipulation back operation by operation that is done to produce the string.
如果在转义数据后在 SQL 命令中使用双引号:
那么它将存储并返回值作为
1\'2,反斜杠仍然完好无损。SQL 字符串的正确语法是使用单引号。这就是
mysql_real_escape_string转义的目的。否则它必须转义双引号,但它完全不知道双引号的用法。在 PHP 中使用双引号。 SQL 使用单引号。像这样重写你的代码:
If you use double quotes within the SQL commands after escaping the data:
then it will store and return the value as
1\'2with the backslash still intact.The proper syntax for SQL strings is using single quotes. That's what
mysql_real_escape_stringis escaping for. Else it would have to escape double quotes, whose usage however it is completely unaware of.Use double quotes in PHP. Use single quotes for SQL. Rewrite your code like that: