Best Solution

最佳解决方案

In your php.ini file, odds are that the magic_quotes_gpcdirective is set to on. This should be disabled for security reasons. If you don't have access to the php.ini file (eg. on a shared host), you can always accomplish the same using an .htaccess directive (assuming this is an apache server).

在您的 php.ini 文件中，该magic_quotes_gpc指令很可能设置为 on。出于安全原因，这应该被禁用。如果您无权访问 php.ini 文件（例如在共享主机上），您始终可以使用 .htaccess 指令完成相同的操作（假设这是一个 apache 服务器）。

In your php.ini

在你的 php.ini

magic_quotes_gpc Off

In an .htaccess file:

在 .htaccess 文件中：

php_flag magic_quotes_gpc Off

Why is this happening?

为什么会这样？

The reason this is happening is due to the following course of logic.

发生这种情况的原因是由于以下逻辑过程。

1. A string that needs escaping is sent to the server.
   • This is my string. It's awesome.
2. Magic Quotes escapes the apostrophe before it gets to your code.
   • This is my string. It\'s awesome
3. mysql_real_escape_stringnow has two characters to escape, the backslash \\as well as the apostrophe \'.
   • This is my string. It\\\'s awesome
4. This new super-escaped string is stored in the database.
5. When the string is retrieved from the database, it get's passed to stripslashes. This removes the two escapes added in step 3, but since one of the backslashes has been escaped stripslashesthinks it belongs.
   • This is my string. It\'s awesome

1. 需要转义的字符串被发送到服务器。
   • This is my string. It's awesome.
2. Magic Quotes 在进入您的代码之前会转义撇号。
   • This is my string. It\'s awesome
3. mysql_real_escape_string现在有两个字符要转义，反斜杠\\和撇号\'。
   • This is my string. It\\\'s awesome
4. 这个新的超级转义字符串存储在数据库中。
5. 当从数据库中检索字符串时，它会传递给stripslashes. 这将删除在步骤 3 中添加的两个转义符，但由于其中一个反斜杠已被转义，因此stripslashes认为它属于。
   • This is my string. It\'s awesome

This problem can really get out of hand when you re-submit these strings to the database, as each time the number of backslashes multiplies.

当您将这些字符串重新提交到数据库时，这个问题真的会失控，因为每次反斜杠的数量都会增加。

Alternative Solution

替代方案

A quick-and easy alternative would be to simply remove the slashes added by magic_quotesbefore passing the string to mysql_real_escape_string.

一种快速简便的替代方法是magic_quotes在将字符串传递给mysql_real_escape_string.

$str = stripslashes($_POST['str']);
$str = mysql_real_escape_string($str);

When adding a string to the database, I'm escaping it with mysql_real_escape_string()and the following gets stored in the database:

<span style=\\\"text-decoration:underline;\\\">underline</span>

向数据库添加字符串时，我将其转义，mysql_real_escape_string()并将以下内容存储在数据库中：

<span style=\\\"text-decoration:underline;\\\">underline</span>

No it's not. When you escape strings in a sql query, it is only to transport the data in the query. The database parses the query and stores the data in the database, without any extra slashes. Thus, when you retrieve data from the database, you should notunescape anything. It's a common misconception.

不，这不对。当您在 sql 查询中转义字符串时，它只是传输查询中的数据。数据库解析查询并将数据存储在数据库中，没有任何额外的斜线。因此，当你从数据库中检索数据，你应该不UNESCAPE什么。这是一个普遍的误解。

If you find that there are excess slashes in the output, you probably have magic quotes turned on. Turn them off.

如果您发现输出中有多余的斜杠，则您可能打开了魔术引号。关闭它们。

Edit:

编辑：

mysql> create table foo (bar text) ;
Query OK, 0 rows affected (0.01 sec)

mysql> INSERT INTO foo (bar) VALUES ("<span style=\\"text-decoration:underline;\\">underline</span>");
Query OK, 1 row affected (0.00 sec)

mysql> SELECT * FROM foo;
+-------------------------------------------------------------+
| bar                                                         |
+-------------------------------------------------------------+
| <span style=\"text-decoration:underline;\">underline</span> | 
+-------------------------------------------------------------+
1 row in set (0.00 sec)

As you can see, the query has one more level of escaping than the data appears within the database and consequently how it comes out when querying for it. In your case, what is probablygoing on, is that you have magic quotes turned on and then you escape strings before embedding them in a query. This leads to double-escaping, tampering your data. The proper solution is to keep escaping strings as you do, but turn off magic quotes. And don'tdo anything on the data as it comes out of the database. Beware that data already in the system needs to be cleaned up first.

正如您所看到的，查询比数据库中出现的数据多一层转义，因此在查询时它是如何出现的。在您的情况下，可能发生的情况是您打开了魔术引号，然后在将字符串嵌入到查询中之前转义字符串。这会导致双重转义，篡改您的数据。正确的解决方案是像您一样继续转义字符串，但关闭魔术引号。并且不要对来自数据库的数据做任何事情。请注意，需要先清理系统中已有的数据。

If get_magic_quotes_gpc()is off in SERVER, so only we can use

如果get_magic_quotes_gpc()在 SERVER 中关闭，那么只有我们可以使用

$data= mysql_real_escape_string($_POST['data']);

if get_magic_quotes_gpc()is on in SERVER, we have to use

如果get_magic_quotes_gpc()在 SERVER 中打开，我们必须使用

$data= mysql_real_escape_string(stripslashes($_POST['data']));

otherwise add two backslashes with your data.

否则为您的数据添加两个反斜杠。

Also another solution is we can use stripslashes($data)while fetch from datadase if we use only use mysql_real_escape_string($_POST['data']);

另一种解决方案是stripslashes($data)，如果我们只使用use ，我们可以使用while fetch from datadasemysql_real_escape_string($_POST['data']);