使用“使用PHP安全方式将数据输入到mysql”插入数据时出现的问题

发布于 2024-10-12 05:26:21 字数 559 浏览 7 评论 0原文

我正在尝试使用表单将数据输入MySQL,并且还使用mysql_real_escape_string来实现此目的。不幸的是我的输出有问题。它显示 \s,或者如果我使用 stripslashes 那么它会删除所有斜杠。

如果我使用反斜杠 \ 提交 web 表单,我会得到以下输出:

"web\'s forms using backslash \\"

See I got a double backslash.但是,如果我使用 stripslashes 函数,那么它会删除所有斜杠,但也会删除输入的斜杠,并且输出为

"web's forms using backslash"

Here,不显示反斜杠,但末尾应该有一个反斜杠。

问题是,如果有人在密码字段和任何其他字段中使用反斜杠,那么反斜杠将被删除或显示两次。还请告诉我什么是显示输出 htmlentities 或 htmlspecialchars 的最佳选择

I am trying to input data using forms into the MySQL, and also using mysql_real_escape_string for this purpose. Unfortunately I am having a problem with the output. It displays \s, or if I use stripslashes then it removes all slashes.

If I submit web's forms using backslash \ I get this output:

"web\'s forms using backslash \\"

See I got a double backslash. But if I use the stripslashes function then it removes all slashes but also removes inputed slash and the output is

"web's forms using backslash"

Here, no backslash is displayed, but there should be one backslash at the end.

The problem is that if someone uses backslash in password field and any other filed, then the backslash will be stripped or displayed twice.And also please tell me what is best for displaying output htmlentities or htmlspecialchars

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

亣腦蒛氧 2024-10-19 05:26:21

您已启用魔术引号。您需要完全禁用它们,因为它们在安全性方面不好。

从 php.ini 将它们设置为 off(首选):

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

或者您可以在运行时禁用它们:

if (get_magic_quotes_gpc())
{
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process))
    {
        foreach ($val as $k => $v)
        {
            unset($process[$key][$k]);
            if (is_array($v))
            {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            }
            else
            {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

You have magic quotes turned on. You need to disable them altogether as they are not good in terms of security.

Set them to off from php.ini (preferred):

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

Or you can disable them at runtime:

if (get_magic_quotes_gpc())
{
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process))
    {
        foreach ($val as $k => $v)
        {
            unset($process[$key][$k]);
            if (is_array($v))
            {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            }
            else
            {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}
↙厌世 2024-10-19 05:26:21

使用 mysqli 库和准备好的语句。然后所有字符都作为数据输入,您不需要弄乱所有这些东西。

哪些字符不会使用 mysqli 准备好的语句进行转义?< /a>

为什么使用 mysql 准备好的语句比使用常见的转义函数更安全吗?

Use the mysqli library and Prepared Statements. Then all characters go in as data and you don't need to mess with all this stuff.

What characters are NOT escaped with a mysqli prepared statement?

Why is using a mysql prepared statement more secure than using the common escape functions?

你的呼吸 2024-10-19 05:26:21

向mysql输入数据的安全方法

使用“安全”插入数据时出现问题
使用PHP向mysql输入数据的方法”

您应该使用 PDO(新改进的方法)预准备语句,它比前辈(mysql_real_escape_string 等)更安全、更快。 为什么你应该这样做使用 PHP 的 PDO 进行数据库访问 更深入的细节。

显示输出

问题是如果有人使用
密码字段中的反斜杠和任何
其他归档,那么反斜杠将
被剥离或显示两次。并且
还请告诉我什么最适合
显示输出 htmlentities 或
htmlspecialchars。

新的改进方法是使用过滤器。我特别建议您阅读 PHP 创建者 Rasmus Ledorf 的所有这些性能和安全性幻灯片。 http://talks.php.net/ 有很多不错的幻灯片,您应该看看在。

Safe way to input data to mysql

Problems in inserting data using “safe
way to input data to mysql using PHP”

You should use PDO(new improved way) prepared statement which are safer and faster then there predecessors(mysql_real_escape_string, etc). Why you Should be using PHP’s PDO for Database Access goes into deeper details.

Displaying output

The problem is that if someone uses
backslash in password field and any
other filed, then the backslash will
be stripped or displayed twice.And
also please tell me what is best for
displaying output htmlentities or
htmlspecialchars.

The new and improved way is to use filter. In particular I would advise you to read all these Performance and Security slides from PHP creator Rasmus Ledorf. http://talks.php.net/ has a lot of good slides in general which you should have a look at.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文