PHP 中两次转义引号

发布于 2024-10-20 04:57:54 字数 541 浏览 2 评论 0原文

我有一个复杂的表单，我首先必须采用一些 $_GET 参数，显然我必须对它们执行 mysql_real_escape_string() ，因为我在数据库中查找内容他们。

对我来说，他们的问题是在初始数据库查找之后。当用户提交表单时，我将它们作为 $_POST 请求发送，显然必须再次执行此 mysql_real_escape_string 调用，以防万一有人试图使用伪造的表单提交。

然后我遇到的问题是参数被转义了两次，我的查询开始看起来很奇怪，如下所示：

select field1 , field2 , from my_table where some_id = \'.$lookup_id.\' ...

所以系统似乎添加了 \' 这让我很困惑:) 另外，在我的其他形式中我还没有看到这样的行为。关于可能导致这种情况的原因有什么想法吗？

一件奇怪的事情是我尝试将未转义的参数发送到帖子，并且发生了同样的问题。这是一条线索，但对我来说还不够。 :(

原文

I have a complicated form where I first have to take some $_GET parameters and obviously I have to do a mysql_real_escape_string() on them since I look stuff up in the database with them.

Them problem for me is after the initial db lookup. When the user submits a form, I send them along as a $_POST request and obviously have to do this mysql_real_escape_string call again just in case someone tries to hack my site with a faked form submission.

Then the problem I have is the arguments are escaped twice and my queries begin to look strange like this:

select field1 , field2 , from my_table where some_id = \'.$lookup_id.\' ...

So the system seems to be adding \' and it is messing me up :)
Also, in my other forms I have not seen such behavior. Any ideas on what may be causing this?

One weird thing is that I tried to send unescaped parameters to the post, and the same problem happens. That is a clue, but not a sufficient one for me. :(

分享到QQ

分享到微博