输入文本和特殊字符以及MySQL [英] Input text and special characters and MySQL
问题描述
我在表单中有一个简单的文本框,我想在POST或GET之后安全地将特殊字符存储在数据库中,并使用下面的代码. $ text = mysql_real_escape_string(htmlspecialchars_decode(stripslashes(trim($ _ GET ["text"])),ENT_QUOTES));
I have a simple textbox in a form and I want to safely store special characters in the database after POST or GET and I use the code below. $text=mysql_real_escape_string(htmlspecialchars_decode(stripslashes(trim($_GET["text"])),ENT_QUOTES));
当我从数据库中读取文本并将其放入文本值时,我使用上面的代码.
When I read the text from the database and put it in the text value I use the code above.
$text=htmlspecialchars($text_from_DB,ENT_QUOTES,'UTF-8',false);
<input type="text" value="<?=$text?>" />
我正在尝试将没有特殊字符的存储在数据库中(这意味着我不想在数据库字段"或中写")
I am trying to save in the database with no special characters (meaning I don't want to write in database field " or ')
实际上,当写入数据库时,对文本执行htmlspecialchars_decode.
Actually when writing to the database do htmlspecialchars_decode to the text.
在写入表单文本框时,对文本进行htmlspecialchars.
When writing to the form text box do htmlspecialchars to the text.
这是将特殊字符安全地写入数据库的最佳方法吗?
Is this the best approach for safe writing special chars to the database?
推荐答案
您有正确的想法将数据库中的文本保留为原始文本.不确定所有HTML实体的用途是什么;您不需要为插入数据库而这么做.
You have the right idea of keeping the text in the database as raw. Not sure what all the HTML entity stuff is for; you shouldn't need to be doing that for a database insertion.
[[我能想到为什么尝试对数据库的输入进行实体解码的唯一原因是,如果您发现在表单提交输入中得到像Š这样的字符引用.如果发生这种情况,那是因为用户输入的字符在表单页面使用的编码中不存在.这种编码形式完全是伪造的,因为这样您就无法区分用户键入Š和字面上键入Š!您应该通过对所有页面和内容使用UTF-8编码来避免这种情况,因为所有可能的字符都适合该编码.]
[The only reason I can think of why you might try to entity-decode incoming input for the database would be if you find you are getting character references like Š in your form submission input. If that's happening, it's because the user is inputting characters that don't exist in the encoding used by the page with the form. This form of encoding is totally bogus because you then can't distinguish between the user typing Š and literally typing Š! You should avoid this by using the UTF-8 encoding for all your pages and content, as every possible character fits in this encoding.]
脚本中的字符串应始终为原始文本,且不能转义.这意味着您直到将它们输出到非纯文本的上下文中之前都不会对它们执行任何操作.因此,将它们放入SQL字符串中:
Strings in your script should always be raw text with no escaping. That means you don't do anything to them until the time you output them into a context that isn't plain-text. So for putting them into an SQL string:
$category= trim($_POST['category']);
mysql_query("SELECT * FROM things WHERE category='".mysql_real_escape_string($category)."'");
(或使用参数化查询以避免手动转义.)将内容放入HTML时:
(or use parameterised queries to avoid having to manually escape it.) When putting content into HTML:
<input type="text" name="category" value="<?php echo htmlspecialchars($category); ?>" />
(如果您希望减少模板中必须进行的键入操作的数量,则可以使用诸如function h($s) { echo htmlspecialchars($s, ENT_QUOTES); }之类的短名称来定义一个辅助函数.)
(you can define a helper function with a shorter name like function h($s) { echo htmlspecialchars($s, ENT_QUOTES); } if you want to cut down on the amount of typing you have to do in templates.)
而且...差不多.您不需要处理来自数据库的字符串,因为它们已经是原始字符串.除了要执行的任何特定于应用程序的字段验证之外,您都不需要处理输入字符串(*).
And... that's pretty much it. You don't need to process strings that come out of the database, as they're already raw strings. You don't need to process input strings(*), other than any application-specific field validation you want to do.
*:好吧,除非打开magic_quotes_gpc,在这种情况下,您要么需要stripslashes()来自get/post/cookie的所有内容,要么,我偏爱的选项,会立即失败:
*: well, except if magic_quotes_gpc is turned on, in which case you do either need to stripslashes() everything that comes in from get/post/cookie, or, my favoured option, just immediately fail:
if (get_magic_quotes_gpc())
die(
'Magic quotes are turned on. They are utterly bogus and no-one should use them. '.
'Turn them off, you idiot, or I refuse to run. So there!'
);
这篇关于输入文本和特殊字符以及MySQL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
