当将带有撇号的单词保存到数据库时,mysql_real_escape_string会添加斜杠'\'[复制]
Possible Duplicate:
mysql_real_escape_string and single quote可能重复:mysql_real_escape_string和单引号
EDIT: I have checked and my hosting service' mysql database is set up as:
编辑:我已经检查,我的托管服务'mysql数据库设置为:
Language: English (en-utf-8)
MySQL charset: UTF-8 Unicode (utf8)
The 'userItem' variable below came from a user-entered text string on a form.
下面的'userItem'变量来自表单上用户输入的文本字符串。
When I type in "this is A's user item" -- and I use mysql_real_escape_string on it -- here's what is saved to the database:
当我输入“这是A的用户项”时 - 我在其上使用mysql_real_escape_string - 这是保存到数据库的内容:
"this is A\'s user item"
BAD. A backslsh got saved with my test string.
坏。使用我的测试字符串保存了一个backslsh。
If I comment out the mysql_real_escape_string($userItem) and just use $userItem in the query string -- this is what gets stored in the database:
如果我注释掉mysql_real_escape_string($ userItem)并在查询字符串中使用$ userItem - 这就是存储在数据库中的内容:
"this is A's user item"
GOOD!! No backslash.
好!!没有反斜杠。
But let's face it, I really want to use mysql_real_escape_string for safety reasons -- I've been led to believe it is safer to use mysql_real_escape_string on strings before saving them to the database.
但让我们面对现实,出于安全原因,我真的想使用mysql_real_escape_string - 我一直认为在将字符串保存到数据库之前对字符串使用mysql_real_escape_string更安全。
THE PROBLEM: when I retrieve my text string "this is A\'s user item" and display it in the browser -- it has the slash in the string. And it surprises the user -- they did NOT type "this is A\'s user item", they typed "this is A's user item".
问题:当我检索我的文本字符串“这是A的用户项目”并在浏览器中显示它时 - 它在字符串中有斜杠。它让用户感到惊讶 - 他们没有输入“这是A的用户项目”,他们输入“这是A的用户项目”。
Here is the code:
这是代码:
$newItemInsertQuery = "INSERT INTO " . Dbases::$USERITEMS_TABLE
. " VALUES "
. "('"
. mysql_real_escape_string( $loggedInUser ) . "', '"
//. mysql_real_escape_string($userItem) . "', '" COMMENTED OUT due to extraneous backslash
. $userItem . "', '"
. mysql_real_escape_string($description) . "', '"
. mysql_real_escape_string($itemImage) . "', '"
. mysql_real_escape_string($userSubfolder) . "')";
$result = mysql_query($newItemInsertQuery);
I suspect the following;
我怀疑以下情况;
my expectations that it is a good thing to use mysql_real_escape_string on strings prior to a database insert is valid.
我希望在数据库插入之前对字符串使用mysql_real_escape_string是一件好事,这是有效的。
but I'm unaware of some other step that must be taken
但我不知道必须采取的其他措施
3 个解决方案
#1
2
I highly suggest using parameterized queries via either mysqli or PDO (both of which are built-in to PHP).
我强烈建议通过mysqli或PDO使用参数化查询(两者都内置于PHP)。
mysql_real_escape_string() is a stopgap measure at best. Using parameterized queries is both much less of a hassle (avoiding issues like this) and more secure - plus for many things it can also be more efficient.
mysql_real_escape_string()充其量是权宜之计。使用参数化查询既不那么麻烦(避免这样的问题),也更安全 - 加上很多东西它也可以更有效率。
It will also make it much clearer exactly what data is being passed in and going into your database, since it does not need to perform any escaping of any kind.
它还可以更准确地说明传入和进入数据库的数据,因为它不需要执行任何类型的转义。
更多相关文章
- php 把驼峰样式的字符串转换成下划线样式的字符串
- PHP中对用户密码进行加密
- 如何在PHP中自动设置用户的语言环境?
- 存储用户所需语言的最佳方式
- Pubsub与Node.js和Socket.io为个人用户
- 如何使用用户名作为子域名创建子域?
- jQuery PHP:检查用户名是否已经存在
- 仅在两个字符串之间移除空白。
- 设计多级用户权限系统