在使用“使用PHP向MySQL输入数据的安全方式"插入数据时存在问题. [英] Problems in inserting data using "safe way to input data to mysql using PHP"

问题描述

我正在尝试使用表格将数据输入到MySQL中，并且为此目的还使用 mysql_real_escape_string .不幸的是我的输出有问题.它显示 \ ，或者，如果我使用 stripslashes ，那么它将删除所有斜杠.

I am trying to input data using forms into the MySQL, and also using mysql_real_escape_string for this purpose. Unfortunately I am having a problem with the output. It displays \s, or if I use stripslashes then it removes all slashes.

如果我使用反斜杠\ 提交 web表单，则会得到以下输出:

If I submit web's forms using backslash \ I get this output:

"web\'s forms using backslash \\"

看到我有两个反斜杠.但是，如果我使用 stripslashes 函数，则它会删除所有斜杠，但也会删除输入的斜杠，输出为

See I got a double backslash. But if I use the stripslashes function then it removes all slashes but also removes inputed slash and the output is

"web's forms using backslash"

在这里，没有显示反斜杠，但是末尾应该有一个反斜杠.

Here, no backslash is displayed, but there should be one backslash at the end.

问题是，如果有人在密码字段中使用反斜杠而其他任何文件都使用反斜杠，则反斜杠将被剥离或显示两次.另外，请告诉我什么是最适合显示输出htmlentity或htmlspecialchars的

The problem is that if someone uses backslash in password field and any other filed, then the backslash will be stripped or displayed twice.And also please tell me what is best for displaying output htmlentities or htmlspecialchars

推荐答案

您有魔术引号打开.您需要完全禁用它们，因为它们在安全性方面不好.

You have magic quotes turned on. You need to disable them altogether as they are not good in terms of security.

将它们从php.ini设置为 off (首选):

Set them to off from php.ini (preferred):

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

或者您可以在运行时将其禁用:

Or you can disable them at runtime:

if (get_magic_quotes_gpc())
{
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process))
    {
        foreach ($val as $k => $v)
        {
            unset($process[$key][$k]);
            if (is_array($v))
            {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            }
            else
            {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

这篇关于在使用“使用PHP向MySQL输入数据的安全方式"插入数据时存在问题.的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！