PHP mysql_real_escape_string()-> stripslashes()留下多个斜线 [英] PHP mysql_real_escape_string() -> stripslashes() leaving multiple slashes
问题描述
我在使用PHP/MySQL转义/剥离字符串时遇到问题-似乎总是有多余的斜杠.
I'm having issues escaping/stripping strings with PHP/MySQL - there always seems to be redundant slashes.
让我们以以下字符串为例:
Let's take the following string as an example:
<span style="text-decoration:underline;">underline</span>
将字符串添加到数据库时,我用mysql_real_escape_string()
进行转义,并且以下内容存储在数据库中( EDIT :通过直接使用mysql应用程序查询数据库进行检查):
When adding a string to the database, I'm escaping it with mysql_real_escape_string()
and the following gets stored in the database (EDIT: checked this by querying the database directly with mysql app):
<span style=\\\"text-decoration:underline;\\\">underline</span>
从数据库读回时,我通过stripslashes()
传递了字符串,并返回了以下内容:
When reading back out of the database, I'm passing the string through stripslashes()
and the following is returned:
<span style=\"text-decoration:underline;\">underline</span>
由于引号仍然被转义,因此它会破坏html并且文本不会带有下划线.
Since the quotes are still escaped, it breaks the html and the text is not underlined.
- 为什么
mysql_real_escape_string()
添加三个斜杠,而stripslashes()
删除两个斜杠?我希望他们俩都添加/删除一个斜杠. - 如何防止这种情况发生?
- 我正以正确的方式来处理吗?
- Why is
mysql_real_escape_string()
adding three slashes, andstripslashes()
removing two slashes? I would expect them both to add/remove one slash. - How can I prevent this from happening?
- Am I approaching this the correct way?
推荐答案
最佳解决方案
在您的php.ini文件中,有可能将 magic_quotes_gpc
指令设置为on.出于安全原因,应禁用此功能.如果您无权访问php.ini文件(例如,在共享主机上),则始终可以使用.htaccess指令(假设这是apache服务器)完成相同操作.
Best Solution
In your php.ini file, odds are that the magic_quotes_gpc
directive is set to on. This should be disabled for security reasons. If you don't have access to the php.ini file (eg. on a shared host), you can always accomplish the same using an .htaccess directive (assuming this is an apache server).
在您的php.ini中
In your php.ini
magic_quotes_gpc Off
在.htaccess文件中:
In an .htaccess file:
php_flag magic_quotes_gpc Off
为什么会这样?
发生这种情况的原因是由于以下逻辑过程.
Why is this happening?
The reason this is happening is due to the following course of logic.
- 需要转义的字符串发送到服务器.
-
This is my string. It's awesome.
-
- A string that needs escaping is sent to the server.
This is my string. It's awesome.
-
This is my string. It\'s awesome
-
This is my string. It\\\'s awesome
-
This is my string. It\'s awesome
当您将这些字符串重新提交给数据库时,这个问题实际上会失控,因为每次反斜杠的数量成倍增加.
This problem can really get out of hand when you re-submit these strings to the database, as each time the number of backslashes multiplies.
一种快速简便的替代方法是在将字符串传递给mysql_real_escape_string
之前,简单地删除magic_quotes
添加的斜杠.
A quick-and easy alternative would be to simply remove the slashes added by magic_quotes
before passing the string to mysql_real_escape_string
.
$str = stripslashes($_POST['str']);
$str = mysql_real_escape_string($str);
这篇关于PHP mysql_real_escape_string()-> stripslashes()留下多个斜线的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!