php mysql_real_escape_string() 在 MySQL 中留下斜线
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/173212/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
mysql_real_escape_string() leaving slashes in MySQL
提问by Eric Lamb
I just moved to a new hosting company and now whenever a string gets escaped using:
我刚搬到一家新的托管公司,现在每当使用以下方法转义字符串时:
mysql_real_escape_string($str);
the slashes remain in the database. This is the first time I've ever seen this happen so none of my scripts use
斜线保留在数据库中。这是我第一次看到这种情况发生,所以我的脚本都没有使用
stripslashes()
anymore.
了。
This is on a CentOS 4.5 64bit running php 5.2.6 as fastcgi on a lighttpd 1.4 server. I've ensured that all magic_quotes options are off and the mysql client api is 5.0.51a.
这是在运行 php 5.2.6 作为 fastcgi 的 CentOS 4.5 64 位服务器上的 lighttpd 1.4 服务器上。我已经确保所有的magic_quotes 选项都关闭并且mysql 客户端api 是5.0.51a。
I have the same issue on all 6 of my webservers.
我的所有 6 个网络服务器上都有同样的问题。
Any help would be appreciated.
任何帮助,将不胜感激。
Thanks.
谢谢。
Edit:
编辑:
Magic Quotes isn't on. Please don't recommend turning it off. THIS IS NOT THE ISSUE.
魔术行情未开启。请不要建议关闭它。这不是问题。
回答by Andy Lester
The host that you've moved probably has magic_quotes_runtimeturned on. You can turn it off with set_magic_quotes_runtime(0).
您移动的主机可能已magic_quotes_runtime打开。你可以用 关闭它set_magic_quotes_runtime(0)。
Please turn off magic_quotes_runtime, and then change your code to use bind variables, rather than using the string escaping.
请关闭magic_quotes_runtime,然后更改您的代码以使用绑定变量,而不是使用字符串转义。
回答by Mike Weller
I can think of a number of things that could cause this. But it depends how you are invoking SQL queries. If you moved to use parameterized queries like with PDO, then escaping is unnecessary which means the call to mysql_real_escape_stringis adding the extra slashes.
我能想到一些可能导致这种情况的事情。但这取决于您如何调用 SQL 查询。如果您改用 PDO 之类的参数化查询,则不需要转义,这意味着调用mysql_real_escape_string会添加额外的斜杠。
If you are using mysql_queryetc. then there must be some code somewhere like addslasheswhich is doing this. This could either be before the data is going into the database, or after.
如果您正在使用mysql_query等,那么在某处一定有一些代码addslashes正在执行此操作。这可能是在数据进入数据库之前,也可能是之后。
Also you say you have disabled magic quotes... if you haven't already, just do a hard check in the code with something like this:
您还说您已禁用魔术引号...如果您还没有,请使用以下内容对代码进行硬检查:
echo htmlentities($_GET['value']); // or $_POST, whichever is appropriate
Make sure there are no slashes in that value, then also check this:
确保该值中没有斜线,然后还要检查:
echo "Magic quotes is " . (get_magic_quotes_gpc() ? "ON" : "OFF");
I know you've said multiple times it isn't magic quotes, but for us guys trying to help we need to be sure you have checked the actual PHP output rather than just changing the config (which might not have worked).
我知道你已经多次说过这不是魔术引号,但是对于我们试图提供帮助的人来说,我们需要确保您已经检查了实际的 PHP 输出,而不仅仅是更改配置(这可能不起作用)。
回答by nickf
it sounds as though you have magic quotes turned on. Turning it off isn't too hard: just create a file in your root directory called .htaccessand put this line in it:
听起来好像您打开了魔术引号。关闭它并不太难:只需在您的根目录中创建一个名为的文件.htaccess并将此行放入其中:
php_flag magic_quotes off
If that's not possible for whatever reason, or you want to change your application to be able to handle magic quotes, use this technique:
如果由于某种原因无法做到这一点,或者您想更改您的应用程序以能够处理魔术引号,请使用以下技术:
Instead of accessing the request variables directly, use a function instead. That function can then check if magic quotes is on or off and strip out slashes accordingly. Simply running stripslashes() over everything won't work, because you'll get rid of slashes which you actually want.
不要直接访问请求变量,而是使用函数。然后该函数可以检查魔术引号是打开还是关闭并相应地去除斜线。简单地在所有内容上运行 stripslashes() 是行不通的,因为您将摆脱您真正想要的斜线。
function getVar($key) {
if (get_magic_quotes_gpc()) {
return stripslashes($_POST[$key]);
} else {
return $_POST[$key];
}
}
$x = getVar('x');
Now that you've got that, all your incoming variables are ready to be escaped again and mysql_real_escape_string()won't stuff them up.
现在你已经知道了,你所有的传入变量都准备好再次转义,mysql_real_escape_string()不会把它们塞满。
回答by Your Common Sense
the slashes remain in the database.
斜线保留在数据库中。
It means that your data gets double escaped.
这意味着您的数据被双重转义。
There are 2 possible reasons:
有2个可能的原因:
magic quotes areon, despite of your feeling. Double-check it
There is some code in your application, that just mimic magic quotes behaviour, escaping all input.
This is very common misconception to have a general escaping function to "protect" all the incoming data. While it does no good at all, it also responsible for the cases like this.
Of so - just find that function and wipe it out.
不管你的感觉如何,魔术报价都在开启。仔细检查一下
您的应用程序中有一些代码只是模仿魔术引号行为,转义所有输入。
这是一个非常普遍的误解,认为有一个通用的转义函数来“保护”所有传入的数据。虽然它根本没有好处,但它也对这种情况负责。
当然 - 只需找到该功能并将其清除即可。
回答by Wijnand de Ridder
What might be the problem (it was with us) that you use mysql_real_escape_string()multiple times on the same var. When you use it multiple times, it will add the slashes.
您mysql_real_escape_string()在同一个 var 上多次使用可能是什么问题(这是我们的问题)。当您多次使用它时,它会添加斜杠。
回答by troelskn
You must probably have magic quotes turned on. Figuring out exactly how to turn it off can be quite a headache in PHP. While you can turn off magic quotes with set_magic_quotes_runtime(0), it isn't enough -- Magic quotes has already altered the input data at this point, so you must undo the change. Try with this snippet: http://talks.php.net/show/php-best-practices/26
您可能必须打开魔术引号。在 PHP 中,确切地弄清楚如何关闭它可能是一件令人头疼的事。虽然您可以使用 关闭魔术引号set_magic_quotes_runtime(0),但这还不够——此时魔术引号已经更改了输入数据,因此您必须撤消更改。试试这个片段:http: //talks.php.net/show/php-best-practices/26
Or better yet -- Disable magic quotes in php.ini, and any .htaccess files it may be set in.
或者更好 - 禁用php.ini.htaccess 文件中的魔术引号,以及它可能被设置的任何 .htaccess 文件。
回答by Milan
I am not sure if I understand the issue correctly but I had a very same problem. No matter what I did the slashes were there when the string got escaped. Since I needed the inserted value to be in the exact same format as it was entered I used
我不确定我是否正确理解了这个问题,但我遇到了同样的问题。无论我做了什么,当字符串被转义时,斜线就在那里。因为我需要插入的值与输入的格式完全相同,所以我使用
htmlentities($inserted_value)
this will leave all inserted quote marks unescaped but harmless.
这将使所有插入的引号不被转义但无害。
回答by Ryaner
Function below will correctly remove slashes beforeinserting into the database. I know you said magic quotes isn't on but something is adding slashes so try the following page and see the output. It'll help figure out where. Call with page.php?var=something-with'data_that;will`be|escaped
下面的函数将在插入数据库之前正确删除斜杠。我知道你说魔术引号没有打开,但有些东西正在添加斜杠,所以请尝试以下页面并查看输出。这将有助于找出在哪里。调用 page.php?var=something-with'data_that;will`be|escaped
You will most likely see number three outputting more slashes than needed.
您很可能会看到第三个输出比需要更多的斜杠。
*Change the db details too.
*也更改数据库详细信息。
<?php
$db = mysql_connect('host', 'user', 'pass');
$var = $_REQUEST['var'];
echo "1: $var :1<br />";
echo "2: ".stripslashes($var)." :2<br />";
echo "3: ".mysql_real_escape_string($var)." :3<br />";
echo "4: ".quote_smart($var)." :4<br />";
function quote_smart($value)
{
// Stripslashes is gpc on
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if ( !is_numeric($value) )
{
$value = mysql_real_escape_string($value);
}
return $value;
}
?>
?>
回答by Steve Obbayi
mysql_real_escape_string($str);is supposed to do exactly that. it is meant to add backslashes to special characters especially when you want to pass the query to mysql. Take note that it also takes into account the character set of mysql.
mysql_real_escape_string($str);应该做到这一点。它旨在为特殊字符添加反斜杠,尤其是当您想将查询传递给 mysql 时。请注意,它还考虑了mysql的字符集。
For safer coding practices it would be good to edit your code and use stripslashes()to read out the data and remove the slashes.
为了更安全的编码实践,最好编辑您的代码并用于stripslashes()读出数据并删除斜线。
