使用mysql_real_escape_string存储后保持textarea输入格式

发布于 2024-11-06 04:46:06 字数 1050 浏览 2 评论 0原文

我正在使用 php5.3.6 和 mysql 5.1.56 以及 CodeIgniter。这就是我所做的。

  1. 在文本区域中输入一些文本,如下所示:

    <小时>

    这是什么?

    我是鲍勃。


  2. $string = $_POST['name'];

  3. $insertdata = mysql_real_escape_string($string);

  4. 将 $insertdata 插入数据库。 它在表中显示“这是什么?\n\n\nI\'m bob.”(不带双引号)。

  5. 查询数据库中存储的数据,对其使用stripslashes,然后将其放回文本区域。 它在文本区域中显示“这是什么?nnnI'm bob。”(不带双引号)。

我的问题是:

  • 在第 4 步中,不应该是“这是什么?\n\n\n 我是鲍勃”。存储在表中? 我查了php手册。它说:

mysql_real_escape_string() 调用 MySQL的库函数 mysql_real_escape_string,其中 在以下内容前面加上反斜杠 字符:\x00、\n、\r、\、'、" 和 \x1a。

  • 使用 mysql_real_escape_string() 后我该如何保持 textarea 输入格式?

  • 是否可以选择要删除哪些斜杠和不删除哪些斜杠?

注意:

  • 魔术引号选项已关闭
  • 我之前没有使用过 stripslashes() 使用mysql_real_escape_string()
  • 如果我使用addslashes() 而不是 mysql_real_escape_string(), 一切正常。
  • 我不想使用addslashes(),因为 它不像 mysql_real_escape_string(),至 我知道。

谢谢, 米洛

I am using php5.3.6 and mysql 5.1.56 and CodeIgniter. Here is what I did.

  1. Input some text in textarea, something like this:


    what's this?

    I'm bob.


  2. $string = $_POST['name'];

  3. $insertdata = mysql_real_escape_string($string);

  4. Insert $insertdata into database.
    It shows "what\'s this?\n\n\nI\'m bob."(without double quotes) in the table.

  5. Query the data stored in database, use stripslashes on it and then put it back to the textarea.
    It shows "what's this?nnnI'm bob."(without double quotes) in the textarea.

My questions are:

  • In step 4, shouldn't it be "what\'s this?\n\n\n I\'m bob." stored in the table?
    I checked php manual. It says:

mysql_real_escape_string() calls
MySQL's library function
mysql_real_escape_string, which
prepends backslashes to the following
characters: \x00, \n, \r, \, ', " and
\x1a.

  • How am I supposed to keep the textarea input format after using mysql_real_escape_string()?

  • Is there anyway to choose which slash to strip and which not to?

Notes:

  • magic quotes option is off
  • I did not use stripslashes() before
    using mysql_real_escape_string()
  • If I use addslashes() instead of
    mysql_real_escape_string(),
    everything works fine.
  • I don' want to use addslashes() since
    it is not as secure as
    mysql_real_escape_string(), as far as
    I know.

Thanks,
Milo

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

七月上 2024-11-13 04:46:06

这确实感觉很像 magic_quotes_gpc = On。您是在 php.ini 中还是在运行时禁用它?它必须是前者,否则它将继续存在。

http://www.php.net/manual/en/security.magicquotes .disabling.php

magic_quotes_gpc 指令只能在系统级别禁用,而不能在运行时禁用。换句话说,使用 ini_set() 不是一个选项。

This really does feel a lot like magic_quotes_gpc = On. Are you disabling it in php.ini or at runtime? It needs to be the former, otherwise it'll remain on.

http://www.php.net/manual/en/security.magicquotes.disabling.php

The magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.

公布 2024-11-13 04:46:06

简短答案:

// double quotes are *very* important, or chars are not interpreted
$text_from_db=str_replace("\\r","\r",str_replace("\\n","\n",$text_from_db));

长答案

非常简单但很棘手。
您编写文本区域并按“回车”键,会出现一个 \r\n (在 Windows 系统上),其中带有斜杠,这些斜杠转义了“r”和“n”字母,并上升了回车符和换行符的特殊含义。
您实际上看不到它们,因为它们是“不可打印”字符。
斜杠字符本身(0x1B)是不可见的,即单个斜杠是“不可打印”字符,要使其可见,您必须将其“转换”为可打印斜杠字符(0x5C),并且要实现这一点,您必须将其加倍它 ”\\”。
现在回到问题:如果你能读懂斜杠,可能是因为斜杠不是 0x1B 而是 0x5C,因此“n”和“r”失去了它们的特殊含义,你将它们视为纯粹的字符串。
我发布的代码执行此转换,将“[0x5C]n”字符串转换为“[0x1B]”字符。

笔记

希望这有帮助,它对我有用。 重要:如果存储正确,来自数据库的文本出现此问题是不正常的。我的建议是对插入和检索进行三次检查,因为(从问题中给出)您可能会在某个地方应用两次引用。

Short answer:

// double quotes are *very* important, or chars are not interpreted
$text_from_db=str_replace("\\r","\r",str_replace("\\n","\n",$text_from_db));

Long answer

Pretty simple but tricky.
You write your textarea and hit the "return" key, there is placed a \r\n (on Windows systems) with slashes that escape the "r" and "n" letter rising their special meaning of carriage return and newline.
You actually can't see them because they are "not printable" chars.
The slash char itself (0x1B) is invisible, that is a single slash is a "not printable" char, to make it visible you have to "transform" it in a printable slash char (0x5C) and to achieve that you have to double it "\\".
Now back to the question: if you can read the slash, probably that's beacuse that slash is not the 0x1B but rather 0x5C, so the "n" and "r" lose their special meaning and you get them as mere strings.
The code I posted does this conversion, converting the "[0x5C]n" string in a "[0x1B]" char.

Notes

Hope this helps, it did for me. IMPORTANT : it is not normal that the text that comes from the db has this issue if it has been stored correctly. My suggestion is to triple check insertion and retrieving because (given from the issue) you could be applying the quoting twice somewhere.

梦在夏天 2024-11-13 04:46:06

最佳解决方案..

$insertdata = mysql_real_escape_string($string); (如果需要,您可以将其插入数据库中)

echo stripslashes(str_replace('\r\n',PHP_EOL, $insertdata)); (输出与您的输入完全相同)

The Best Solution..

$insertdata = mysql_real_escape_string($string); (You can insert it in your database if you want)

echo stripslashes(str_replace('\r\n',PHP_EOL,$insertdata)); (The output is exactly as your input was)

花想c 2024-11-13 04:46:06

在将数据插入数据库之前,必须对数据进行转义,以确保不会产生损坏的查询并避免 SQL 注入。
但是,当您通过 SELECT 检索该数据时,您将收到未转义的数据,可供使用。

You must escape data before inserting it into the database, to ensure you do not produce broken queries and to avoid SQL injections.
However, when you retrieve that data via a SELECT, you'll receive the data unescaped, ready to be used.

灵芸 2024-11-13 04:46:06

MySQL 会对字符串进行转义,但是当将结果显示给您时,它会给出与未转义时相同的结果。

MySQL escapes the string, but when displaying the result back to you it will give you the same result as if it was unescaped.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文