mysql_real_escape_string（）不应该在数据库中留下斜线？ [英] Shouldn't mysql_real_escape_string() leave slashes in Database?

问题描述

我使用smarty和 mysql_real_escape_string（）为用户输入，
，当我插入一些代码与'或，并在phpmyadmin
中查找，它显示为没有反斜杠。

Im using smarty and mysql_real_escape_string() for user input, and when I insert some code with ' or " , and lookup in phpmyadmin it shows without backslashes.

当我获得记录从DB我也没有反斜杠
但是当我刚刚传递转义的字符串而不插入db
它是反斜杠。

When I get record from DB i doesn't have backslashes also. But when I just pass escaped string without inserting into the db it is backslashed.

Shouldn不，它会添加斜杠，插入他们然后我将
剥离他们，当我输出？
还是我缺少的东西？

Shouldn't it add slashes, insert with them and then I would strip them when i would output? Or am I missing something?

推荐答案

你错过了 - 使用反斜杠进行转义是为了确保查询不会发生错误，例如这样的事情肯定会中断，可能会导致SQL注入：

You're missing it - escaping with backslashes is meant to ensure that queries aren't malformed, e.g. something like this will surely break and possibly risk SQL injections:

insert into table values ('whatever 'this' is')

，没有任何内容将保存在表中，而这个：

and nothing will be saved in the table, whereas this:

insert into table values ('whatever \'this\' is')

将保存值 在表中。

这篇关于mysql_real_escape_string（）不应该在数据库中留下斜线？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！