mysql_real_escape_string() 不应该在数据库中留下斜杠吗? [英] Shouldn't mysql_real_escape_string() leave slashes in Database?

问题描述

我使用 smarty 和 mysql_real_escape_string() 进行用户输入，当我用 ' 或 " 插入一些代码，并在 phpmyadmin 中查找时它显示时没有反斜杠.

Im using smarty and mysql_real_escape_string() for user input, and when I insert some code with ' or " , and lookup in phpmyadmin it shows without backslashes.

当我从数据库获取记录时，我也没有反斜杠.但是当我只是通过转义字符串而不插入数据库时它是反斜杠的.

When I get record from DB i doesn't have backslashes also. But when I just pass escaped string without inserting into the db it is backslashed.

不应该添加斜线，插入斜线然后我会当我输出时剥离它们?还是我遗漏了什么?

Shouldn't it add slashes, insert with them and then I would strip them when i would output? Or am I missing something?

推荐答案

你错过了它 - 使用反斜杠转义是为了确保查询没有格式错误，例如像这样的事情肯定会中断并可能冒 SQL 注入的风险:

You're missing it - escaping with backslashes is meant to ensure that queries aren't malformed, e.g. something like this will surely break and possibly risk SQL injections:

insert into table values ('whatever 'this' is')

表中不会保存任何内容，而这个:

and nothing will be saved in the table, whereas this:

insert into table values ('whatever \'this\' is')

将在表中保存值无论'这个'是什么".

will save the value "whatever 'this' is" in the table.

这篇关于mysql_real_escape_string() 不应该在数据库中留下斜杠吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！