mysql_real_escape_string() 发生限制查看谷歌地图
我将谷歌地图代码粘贴
<iframe width="186" height="186" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="http://maps.google.com/maps?f=d&source=s_d&saddr=NIPA,+Karachi,+Pakistan&daddr=&hl=en&geocode=FXg3fAEd6dH_AyF_rsIkOA6mpg&aq=&sll=24.91788,67.097065&sspn=0.007414,0.009645&vpsrc=0&mra=ls&ie=UTF8&t=m&ll=24.91788,67.097065&spn=0.007414,0.009645&output=embed"></iframe>
<br />
<small><a href="http://maps.google.com/maps?f=d&source=embed&saddr=NIPA,+Karachi,+Pakistan&daddr=&hl=en&geocode=FXg3fAEd6dH_AyF_rsIkOA6mpg&aq=&sll=24.91788,67.097065&sspn=0.007414,0.009645&vpsrc=0&mra=ls&ie=UTF8&t=m&ll=24.91788,67.097065&spn=0.007414,0.009645" style="color:#0000FF;text-align:left">View Larger Map</a></small> </div>
到文本区域中并使用 mysql_real_escape_string(trim($_POST'map']))
但从 mysql 表中获取数据时,由于 SQL 注入< /strong> 保护函数即: mysql_real_escape_string() 就像:
<iframe width=\"186\" height=\"186\" frameborder=\"0\" scrolling=\"no\" marginheight=\"0\" marginwidth=\"0\" src=\"http://maps.google.com/maps?f=d&source=s_d&saddr=NIPA,+Karachi,+Pakistan&daddr=&hl=en&geocode=FXg3fAEd6dH_AyF_rsIkOA6mpg&aq=&sll=24.91788,67.097065&sspn=0.007414,0.009645&vpsrc=0&mra=ls&ie=UTF8&t=m&ll=24.91788,67.097065&spn=0.007414,0.009645&output=embed\"></iframe>
<br />
<small><a href=\"http://maps.google.com/maps?f=d&source=embed&saddr=NIPA,+Karachi,+Pakistan&daddr=&hl=en&geocode=FXg3fAEd6dH_AyF_rsIkOA6mpg&aq=&sll=24.91788,67.097065&sspn=0.007414,0.009645&vpsrc=0&mra=ls&ie=UTF8&t=m&ll=24.91788,67.097065&spn=0.007414,0.009645\" style=\"color:#0000FF;text-align:left\">View Larger Map</a></small> </div>
........................!
I paste google map code
<iframe width="186" height="186" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="http://maps.google.com/maps?f=d&source=s_d&saddr=NIPA,+Karachi,+Pakistan&daddr=&hl=en&geocode=FXg3fAEd6dH_AyF_rsIkOA6mpg&aq=&sll=24.91788,67.097065&sspn=0.007414,0.009645&vpsrc=0&mra=ls&ie=UTF8&t=m&ll=24.91788,67.097065&spn=0.007414,0.009645&output=embed"></iframe>
<br />
<small><a href="http://maps.google.com/maps?f=d&source=embed&saddr=NIPA,+Karachi,+Pakistan&daddr=&hl=en&geocode=FXg3fAEd6dH_AyF_rsIkOA6mpg&aq=&sll=24.91788,67.097065&sspn=0.007414,0.009645&vpsrc=0&mra=ls&ie=UTF8&t=m&ll=24.91788,67.097065&spn=0.007414,0.009645" style="color:#0000FF;text-align:left">View Larger Map</a></small> </div>
in a text area and using mysql_real_escape_string(trim($_POST'map']))
but on fetching back from mysql table it does not show map because of SQL Injection protection function ie: mysql_real_escape_string() like:
<iframe width=\"186\" height=\"186\" frameborder=\"0\" scrolling=\"no\" marginheight=\"0\" marginwidth=\"0\" src=\"http://maps.google.com/maps?f=d&source=s_d&saddr=NIPA,+Karachi,+Pakistan&daddr=&hl=en&geocode=FXg3fAEd6dH_AyF_rsIkOA6mpg&aq=&sll=24.91788,67.097065&sspn=0.007414,0.009645&vpsrc=0&mra=ls&ie=UTF8&t=m&ll=24.91788,67.097065&spn=0.007414,0.009645&output=embed\"></iframe>
<br />
<small><a href=\"http://maps.google.com/maps?f=d&source=embed&saddr=NIPA,+Karachi,+Pakistan&daddr=&hl=en&geocode=FXg3fAEd6dH_AyF_rsIkOA6mpg&aq=&sll=24.91788,67.097065&sspn=0.007414,0.009645&vpsrc=0&mra=ls&ie=UTF8&t=m&ll=24.91788,67.097065&spn=0.007414,0.009645\" style=\"color:#0000FF;text-align:left\">View Larger Map</a></small> </div>
.............!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
问题是您启用了
magic-quotes。这是 php 中的重大错误之一(并且将在版本 5.something 中从该语言中删除)。
在许多较旧的设置中,它仍然处于启用状态,并且最好禁用它,因为它不会增加任何安全性,但确实会增加很多麻烦。
如果(且仅当)您无法禁用它,您可以在执行
mysql_real_escape_string之前使用stripslashes()。The problem is that you have
magic-quotesenabled.This is one of the big mistakes in php (and will be taken out of the language in version 5.something).
In many older setups it is still enabled and it's a good idea to disable it, because it does not add any security, but it does add a lot of headaches.
If (and only if) you cannot disable it, you can use
stripslashes()before doingmysql_real_escape_string.在显示字符串之前尝试将
stripslashes()应用于该字符串。Try applying
stripslashes()to the string before displaying it.