我在 SQL INSERT 之前使用 mysql_real_escape_string,但随后必须对检索到的数据应用 stripslashes。正常吗?
我不是 PHP/SQL 专家,我刚刚发现我必须应用 mysql_real_escape_string 来保护我的 SQL 插入。
我使用在网上找到的几个建议创建了一个函数,如下所示:
function secure($string)
{
if(is_numeric($string))
{ $string = intval($string); }
elseif (is_array($string))
{
foreach ($string as $key => $value) {
$string[$key] = secure($value);
}
}
else if ($string === null)
{
$string = 'NULL';
}
elseif (is_bool($string))
{
$string = $string ? 1 : 0;
}
else
{
if (get_magic_quotes_gpc()) { $value = stripslashes($string); }
$string = mysql_real_escape_string($string);
$string = addcslashes($string, '%_');
}
return $string;
}
事情是,当我查看表格内容时,它包含反斜杠。 然后从逻辑上讲,当我检索数据时,我必须对其应用反斜杠以删除这些反斜杠。
魔术报价已关闭。
问题 1) 现在我认为即使我在 SQL 插入之前使用 mysql_real_escape_string 来保护我的数据,反斜杠也不应该出现在我的内容中? 您能证实这一点吗?
问题 2) 如果不正常,为什么这些反斜杠出现在我的 phpMyAdmin 内容和检索中? 我做错了什么?
问题 3) 我的猜测是 mysql_real_escape_string 可以应用两次,不是吗? 如果是这样,什么函数可以防止 mysql_real_escape_string 多次应用于同一个字符串,导致许多 \\ 到同一个可转义字符?
非常感谢您的投入!
I'm no PHP/SQL expert, and I've juste discovered that i had to apply mysql_real_escape_string to secure my SQL INSERTS.
I made a function using several advice found on the net, here it is:
function secure($string)
{
if(is_numeric($string))
{ $string = intval($string); }
elseif (is_array($string))
{
foreach ($string as $key => $value) {
$string[$key] = secure($value);
}
}
else if ($string === null)
{
$string = 'NULL';
}
elseif (is_bool($string))
{
$string = $string ? 1 : 0;
}
else
{
if (get_magic_quotes_gpc()) { $value = stripslashes($string); }
$string = mysql_real_escape_string($string);
$string = addcslashes($string, '%_');
}
return $string;
}
Thing is, when I have a look at my tables content, it contains backslashes.
And then logically, when I retrieve data I have to apply stripslashes to it to remove these backslashes.
Magic Quotes are off.
QUESTION 1)
Now I think that even though I use mysql_real_escape_string to secure my data before SQL insertion, backslashes should not appear in my content ? Can you confirm this ?
QUESTION 2)
If not normal, why are these backslashes appearing in my phpMyAdmin content and retrievals ? What did I did wrong ?
QUESTION 3)
A guess I have is that mysql_real_escape_string could be applied twice, isn't it ?
If so, what could be a function to prevent mysql_real_escape_string being applied many times to a same string, leading to many \\ to a same escapable character ?
Thanks a lot by advance for your inputs guys !
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
哦,多么无意义的功能。我知道这不是你的错,而是那些在愚蠢的文章和答案中写下它的人的错。
摆脱它并仅使用 mysql_real_escape_string 来转义字符串。
你把一切都搞混了。
首先,数据库转义函数中不应出现任何魔术引号内容。
如果您想摆脱魔术引号,请在所有脚本的最顶部集中进行,无论它们是否处理数据库。
这个函数中的大部分检查都是无用的。例如 is_bool。 PHP 将以同样的方式对其进行转换,无需为此编写任何代码。
类似的转义是完全不同的事情,与安全无关。
数字检查完全没有用,因为它没有任何帮助。
另请注意,转义字符串与安全性无关。
我只是一个语法规则 - 所有字符串都应该被转义。无论它的起源或任何其他东西。只是一个严格的规则:每次将字符串放入查询中时,都应该将其引用并转义。(当然,如果您只转义而不引用,它将毫无帮助)
并且仅当我们谈论查询的其他部分,涉及到 SQL 注入问题。要了解有关此问题的完整指南,请参阅我之前的答案:在 PHP 中,当向数据库提交字符串时,我应该使用 htmlspecialchars() 还是使用正则表达式来处理非法字符?
oh, what a senseless function. I know it's not your fault but ones who wrote it in their stupid articles and answers.
Get rid of it and use only mysql_real_escape_string to escape strings.
you have mixed up everything.
first, no magic quotes stuff should be present in the database escaping function.
if you want to get rid of magic quotes, do it centralized, at the very top of ALL your scripts, no matter if they deal with the database or not.
most of checks in this function are useless. is_bool for example. PHP will convert it the same way, no need to write any code for this.
LIKE related escaping is TOTALLY distinct matter, and has nothing to do with safety.
is numeric check is completely useless, as it will help nothing.
Also note that escaping strings has nothing to do with security.
I's just a syntax rule - all strings should be escaped. No matter of it's origin or any other stuff. Just a strict rule: every time you place a string into query, it should be quoted and escaped. (And of course, if you only escape it but not quote, it will help nothing)
And only when we talk of the other parts of query, it comes to the SQL injection issue. To learn complete guide on this matter, refer to my earlier answer: In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?
您的 stripslashed
$string存储到错误的变量$value而不是$string:应该是
Your stripslashed
$stringis stored to the wrong variable$valueinstead of$string:should be
您确定没有多次调用 mysql_real_escape_string 吗?每次使用可转义字符调用它时,最终都会添加越来越多的斜杠。您只想调用它一次。另外,为什么你还调用addcslashes? mysql_real_escape_string 应该足够了。如果只调用它一次,那么从数据库检索数据后就不必再对数据调用 stripslashes。
您无法真正判断 mysql_real_escape_string 是否应用了多次,我建议您回去仔细重新阅读您的代码,尝试在将值插入数据库之前调试打印这些值,看看它们是否看起来“过度”砍掉了”。
顺便说一句,如果您使用准备好的语句(例如通过 mysqli),您不需要转义字符串,数据库引擎会为您执行此操作,这也可能是问题。
Are you sure you aren't calling mysql_real_escape_string more than once, each time you call it with escapable characters you will end up adding more and more slashes. You want to call it only once. Also, why are you also calling addcslashes? mysql_real_escape_string should be enough. If you call it only once, you should never have to call stripslashes on the data after retrieving it from the database.
You can't really tell if mysql_real_escape_string is applied more than once, I'd suggest going back and re-reading your code carefully, try debug printing the values just before they are inserted into the db to see if they are look 'over-slashed'.
Btw, if you are using prepared statements (e.g. via mysqli) you dont need to escape your strings, the DB engine does this for you, this could be the problem too.
从所有代码中完全删除addslashes。这是将斜杠插入数据库的主要原因。
始终检查 magic_quotes_gpc 是否启用,如果启用则执行 stripslashes 并转义数据。
转义=“不要使用addslashes”
当它进入数据库时,'\'被删除。
Remove addslashes completely from all of your code. This is the leading cause for slashes being inserted into database.
Always check if magic_quotes_gpc is enabled, if it is perform stripslashes and escape the data.
Escaped = "don\'t use addslashes"
When it goes into database the '\' is removed.