PHP 中的转义引号
尝试查询 MySQL 数据库时如何转义 PHP 中的引号?
无需在每个值上添加 addslashes:
$fname = addslashes("Value's with quote''s'");
$lname = addslashes("Value's with quote''s'");
How do I escape quotes in PHP when trying to query a MySQL database?
Without adding addslashes on every value:
$fname = addslashes("Value's with quote''s'");
$lname = addslashes("Value's with quote''s'");
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
正确的方法是使用准备好的语句,例如通过 PDO。
如果您做不到这一点,则必须处理使用
mysql_real_escape_string()传递到数据库查询的所有值 - 不,只需在所有上执行此操作>$_POST数据不是一个选项,因为这会使它们无法用于 HTML 输出等。您可以创建一个$_ESC或类似的东西...但请注意,此变量将不是超全球化的!The proper way is using prepared statements, e.g. via PDO.
If you can't do that, you have to process all values which are passed into a database query with
mysql_real_escape_string()- and no, doing that simply on all$_POSTdata is not an option since that would render them unusable for HTML output, etc. You could create a$_ESCor something similar though... but note that this variable will not be superglobal!您应该在每个字符串值上转义特殊字符(不仅是引号)(转义您不打算在查询中用引号括起来的值是没有用的。这些值需要另一种治疗)。
为了避免无聊的重复输入,您可以对循环中的数组项应用转义函数。
如果您使用 MySQL 并进行 INSERT/UPDATE 查询,则可以使用此辅助函数:
它的使用方式如下:
另外,不要忘记根据需要使用
mysql_set_charset()设置正确的编码对于 mysql_real_escape_string() 函数。You ought to escape special characters (not only quotes) on every string value (it's useless to escape values you're not going to enclose in quotes in a query. Those values require another treatment).
To avoid boring repetitive typing you can apply an escaping function to array items in a loop.
In case you're using MySQL and for INSERT/UPDATE queries, you can use this helper function:
It is used like this:
Also don't forget to set proper encoding using
mysql_set_charset()as it's required for the mysql_real_escape_string() function.一个好主意是使用 PDO 准备好的语句,如此处所述。
它会自动转义这些字符。
A good idea would be using PDO prepared statements as described here.
It will automatically escape those characters.
首先,不要使用 addslashes() - 不建议将其与转义数据库查询字符串一起使用,因为它不会转义实际需要转义的所有内容;有一些角色仍然可以通过。
正确的解决方案取决于您使用的数据库。假设您使用的是 MySQL,则代替
addslashes()使用的正确函数是mysql_real_escape_string()。您可能会注意到,在每一行上使用它比
addslashes()更冗长,因此它并不能真正回答您的问题。如果您的字段都是单独的变量(按照您的示例),那么您确实不得不为一堆代码行执行此操作。
如果您使用的是数组(例如
$_POST),那么您可以在循环中执行此操作,这将使事情变得更加整洁 - 您可以执行以下操作:执行 SQL 的日期方法是使用对象模型而不是手动构建查询。 PHP 有许多可能有帮助的库:
mysqli是一个改进的 MySQL 库,PDO是一个与数据库无关的库。与直接构建 SQL 代码相比,其中任何一个都会为您提供更好的安全性和灵活性。但是,如果您已经有大量代码,那么它们将代表相当大的代码更改开销,因此您可能希望在短期内使用上面讨论的 mysql_real_escape_string() 选项。不过,我确实建议对它们进行投资。Firstly, don't use
addslashes()- it is not recommended for use with escaping DB query strings because it doesn't escape everything that actually needs to be escaped; there are some characters that can still get through.The correct solution depends on the database you're using. Assuming you're using MySQL, the correct function to use instead of
addslashes()ismysql_real_escape_string().You probably notice that using this on every line is even more verbose than
addslashes(), so it doesn't really answer your question.If your fields are all separate variables (as per your example), then you're really stuck with doing that for a bunch of lines of code.
If you're using an array (eg
$_POST), then you can do it in a loop, which will make things a lot neater - you can do things like this:A more up-to-date method for doing SQL is to use an object model rather than manually building the queries. PHP has a number of libraries that may help:
mysqliis an improved MySQL library, andPDOis a database-neutral library. Either of these would give you much better security and flexibility than building the SQL code directly. However if you already have a lot of code in place then they would represent a fairly significant overhead of code changes, so you may want to go with themysql_real_escape_string()option discussed above in the short term. I do recommend investating them them though.