PHP mysql_real_escape_string()-> stripslashes()留下多个斜线 [英] PHP mysql_real_escape_string() -> stripslashes() leaving multiple slashes

问题描述

我在使用PHP/MySQL转义/剥离字符串时遇到问题-似乎总是有多余的斜杠.

I'm having issues escaping/stripping strings with PHP/MySQL - there always seems to be redundant slashes.

让我们以以下字符串为例:

Let's take the following string as an example:

<span style="text-decoration:underline;">underline</span>

将字符串添加到数据库时，我用mysql_real_escape_string()进行转义，并且以下内容存储在数据库中( EDIT :通过直接使用mysql应用程序查询数据库进行检查):

When adding a string to the database, I'm escaping it with mysql_real_escape_string() and the following gets stored in the database (EDIT: checked this by querying the database directly with mysql app):

<span style=\\\"text-decoration:underline;\\\">underline</span>

从数据库读回时，我通过stripslashes()传递了字符串，并返回了以下内容:

When reading back out of the database, I'm passing the string through stripslashes() and the following is returned:

<span style=\"text-decoration:underline;\">underline</span>

由于引号仍然被转义，因此它会破坏html并且文本不会带有下划线.

Since the quotes are still escaped, it breaks the html and the text is not underlined.

1. 为什么mysql_real_escape_string()添加三个斜杠，而stripslashes()删除两个斜杠?我希望他们俩都添加/删除一个斜杠.
2. 如何防止这种情况发生?
3. 我正以正确的方式来处理吗?

1. Why is mysql_real_escape_string() adding three slashes, and stripslashes() removing two slashes? I would expect them both to add/remove one slash.
2. How can I prevent this from happening?
3. Am I approaching this the correct way?

推荐答案

最佳解决方案

在您的php.ini文件中，有可能将 magic_quotes_gpc 指令设置为on.出于安全原因，应禁用此功能.如果您无权访问php.ini文件(例如，在共享主机上)，则始终可以使用.htaccess指令(假设这是apache服务器)完成相同操作.

Best Solution

In your php.ini file, odds are that the magic_quotes_gpc directive is set to on. This should be disabled for security reasons. If you don't have access to the php.ini file (eg. on a shared host), you can always accomplish the same using an .htaccess directive (assuming this is an apache server).

在您的php.ini中

In your php.ini

magic_quotes_gpc Off

在.htaccess文件中:

In an .htaccess file:

php_flag magic_quotes_gpc Off

为什么会这样?

发生这种情况的原因是由于以下逻辑过程.

Why is this happening?

The reason this is happening is due to the following course of logic.

1. 需要转义的字符串发送到服务器.
   • This is my string. It's awesome.

1. A string that needs escaping is sent to the server.
   • This is my string. It's awesome.

• This is my string. It\'s awesome

• This is my string. It\\\'s awesome

• This is my string. It\'s awesome

当您将这些字符串重新提交给数据库时，这个问题实际上会失控，因为每次反斜杠的数量成倍增加.

This problem can really get out of hand when you re-submit these strings to the database, as each time the number of backslashes multiplies.

一种快速简便的替代方法是在将字符串传递给mysql_real_escape_string之前，简单地删除magic_quotes添加的斜杠.

A quick-and easy alternative would be to simply remove the slashes added by magic_quotes before passing the string to mysql_real_escape_string.

$str = stripslashes($_POST['str']);
$str = mysql_real_escape_string($str);

这篇关于PHP mysql_real_escape_string()-> stripslashes()留下多个斜线的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！