我不需要mysql_real_escape_string？ [英] I don't need mysql_real_escape_string?

问题描述

我的原始POST似乎返回已经转义...所以如果

php设置为我做，那我不​​应该b / b
做任何事情更多？ [对于那个特殊方面，无论如何]？


- 帮助

My raw POST seems to return already escaped...so if
the php is set to do it for me, than I shouldn''t
do anything more? [for that particular aspect, anyway]?

--thelma

推荐答案

5月17日星期六2008 01:31:27 +0200，< th **** @ uwm.eduwrote：

On Sat, 17 May 2008 01:31:27 +0200, <th****@uwm.eduwrote:

我的原始POST似乎返回已经转义...所以如果

php设置为我做，比我不应该b / b
做更多的事情？ [对于那个特殊方面，无论如何]？

My raw POST seems to return already escaped...so if
the php is set to do it for me, than I shouldn''t
do anything more? [for that particular aspect, anyway]?

magic_quotes_gpc在您的主机上启用，并且该功能不应该是
信任以逃避数据以防止mysql注入等等

可以阻止多字节字符丢失（甚至创建......）引号。


这个功能是PHP的错误之一，因为它们状态

（< http://nl2.php.net/magic_quotes>）：

"警告：自PHP 6.0起，此功能已被弃用和删除。 0.

非常不鼓励依赖此功能。

And（< http://nl2.php.net/manual/en/security.magicquotes。 why.php>）：

" ..虽然使用魔术引号仍然可以进行SQL注入，但是降低了风险

。


尝试通过server / php.ini config或.htaccess文件关闭它，如果

可能的话。如果没有，则字符串中的stripslashes（）为magic_quotes_gpc（）

返回true，并希望享受收到的实际数据。使用真正的

函数用于此目的，除了magic_quotes CAN

与数据库通信，并知道需要什么类型的转义。

-

Rik Wasmus

.... spamrun完成

magic_quotes_gpc is on on your host, and that feature should not be
trusted to escape data for to prevent mysql injection as it amongst others
can choke on multibyte characters missing (or even creating...) quotes.

This feature is one of PHP''s mistakes, and as they state
(<http://nl2.php.net/magic_quotes>):
"Warning: This feature has been DEPRECATED and REMOVED as of PHP 6.0.0.
Relying on this feature is highly discouraged."
And (<http://nl2.php.net/manual/en/security.magicquotes.why.php>):
"..Although SQL Injection is still possible with magic quotes on, the risk
is reduced."

Try to turn it off, either by server/php.ini config or .htaccess files if
possible. If not, stripslashes() from the string is magic_quotes_gpc()
returns true, and hopefully enjoy the real data received. Use the real
function meant for this purpose, which other then magic_quotes CAN
communicate with the database and know what kind of escaping is needed.
--
Rik Wasmus
....spamrun finished

你注意到的是get_magic_quotes_gpc（GET ，POST& COOKIE）


这是在php.ini文件中打开和关闭的设置。


只是因为这是设置的在你的实例中，并不意味着它将在另一台服务器上支持
。


另外，魔术引号gpc不会阻止可能出现的其他问题a / b
用户输入狡猾的结果。


你应该总是正确地逃避用户输入。此外，我非常确定

（但不是100％）魔术引号自php6起已被弃用。

what you are noticing is get_magic_quotes_gpc (GET,POST & COOKIE)

This is a setting turned on and off in the php.ini file.

Just because this is set to on in your instance does not mean that it
will be so on another server.

Also magic quotes gpc does not stop other problems that may occur as a
result of dodgy user input.

You should always escape user input properly. Also, i''m pretty sure
(but not 100%) that magic quotes are deprecated as of php6.

哈哈，看起来就像我甜菜一样:-)

ha ha, looks like I was beet to the mark :-)

这篇关于我不需要mysql_real_escape_string？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！