了解在PHP中转义的输入 [英] Understanding input escaping in PHP
问题描述
说我有一个表单发送数据HTTP POST到PHP文件。我在输入框中输入以下内容,并提交表单:
Hello,Jimmy O'Toole说。
如果您在收到此POST数据的PHP页面上打印/回显输入,则会显示为Jimmy O \'Toole说:
\Hello \
这是令人困惑的一点。如果我将这个输入字符串放入(My)SQL并执行它,它将进入数据库(因为引号被转义),但会停止SQL注入?
如果我输入输入字符串,并调用类似 mysqli real_escape_string
,它出现如下:
\\Hello\\ Jimmy O说,
所以当它通过(My)SQL进入数据库时,它最终如下:
\Hello \,Jimmy O \'Toole说。
这显然有太多斜杠。
所以如果输入通过HTTP POST作为转义,你是否必须再次转义,以使(My)SQL安全吗?或者我只是看不到有什么明显的东西?
提前感谢任何帮助。
以下是一个示例性文章: http://www.sitepoint.com/blogs/2005/03/02/magic-quotes-headaches/
概述:禁用魔术报价,使用 real_escape_string()
。
One thing that's always confused me is input escaping and whether or not you're protected from attacks like SQL injection.
Say I have a form which sends data using HTTP POST to a PHP file. I type the following in an input field and submit the form:
"Hello", said Jimmy O'Toole.
If you print/echo the input on the PHP page that receives this POST data, it comes out as:
\"Hello\", said Jimmy O\'Toole.
This is the point where it gets confusing. If I put this input string into (My)SQL and execute it, it'll go into the database fine (since quotes are escaped), but would that stop SQL injection?
If I take the input string and call something like mysqli real_escape_string
on it, it comes out like this:
\\"Hello\\", said Jimmy O\\'Toole.
So when it goes into the database via (My)SQL, it ends up as:
\"Hello\", said Jimmy O\'Toole.
This obviously has too many slashes.
So if the input comes through HTTP POST as escaped, do you have to escape it again to make it safe for (My)SQL? Or am I just not seeing something obvious here?
Thanks in advance for any help.
Ah, the wonders of magic quotes. It is making those unnecessary escapes from your POST forms. You should disable (or neutralize) them, and many of your headaches go away.
Here's an exemplary article of the subject: http://www.sitepoint.com/blogs/2005/03/02/magic-quotes-headaches/
Recap: disable magic quotes, use real_escape_string()
.
这篇关于了解在PHP中转义的输入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!