mysqli查询问题。 mysqli_real_escape_string错误
[英]mysqli query issue. mysqli_real_escape_string error
问题描述
Having trouble with a mysqli query - specifically the WHERE stoname= clause. 
遇到mysqli查询问题 - 特别是WHERE stoname=子句。
This doesn't work: 这不起作用:
$result = @mysqli_query($dbc, "SELECT * FROM thedb WHERE coname='{$_SESSION['user']}' AND stoname='{$_SESSION['store']}' ");
If I echo $_SESSION['store'] then it prints as o\\'store which matches what's the in the database. 如果我回显$_SESSION['store']那么它会打印为o\\'store ,它与数据库中的内容相匹配。 Yet this doesn't work. 然而,这不起作用。
However, if I echo mysqli_real_escape_string($dbc,($_SESSION['store'])) then it prints o\\\\\\'store which is NOT what's in the database. 但是,如果我回mysqli_real_escape_string($dbc,($_SESSION['store']))那么它会打印o\\\\\\'store ,这不是数据库中的内容。 Yet it works. 但它确实有效。
$result = @mysqli_query($dbc, "SELECT * FROM thedb WHERE user='{$_SESSION['user']}' AND stoname='".mysqli_real_escape_string($dbc,($_SESSION['store']))."' ");
I accept that I have working code, but I'm confused as to why this the case. 我接受我有工作代码,但我很困惑为什么会这样。 Can anyone explain what I've done / am doing wrong? 任何人都可以解释我做了什么/做错了什么? Thanks 谢谢
1 个解决方案
解决方案1
3 已采纳 2015-08-04 18:14:55
If your table literally contains o\\'store then mysqli_real_escape_string() has done its job correctly. 如果你的表字面上包含o\\'store那么mysqli_real_escape_string()已正确完成其工作。 The function's purpose is to escape a string for safe inclusion inside a SQL statement, not to be an exact literal match for what is actually already in your table. 该函数的目的是转义字符串以安全包含在SQL语句中,而不是与表中实际存在的字符完全匹配。
The table value contains literally \\' . 该表值包含字面\\' 。 When you use that value directly in the SQL statement, the backslash is misinterpreted as an escape character to the ' rather than as a literal \\ as appears in your table. 当您在SQL语句中直接使用该值时,反斜杠会被误解为表格中显示的'而不是文字\\ '的转义字符。 So the query produces no results because the executed SQL statement is: 因此,查询不会产生任何结果,因为执行的SQL语句是:
# MySQL sees only an escaped ' and no \
SELECT * FROM thedb WHERE coname='something' AND stoname='o\'store'
...meaning the value of stoname actually compared is just o'store without \\ , because \\ has been discarded by MySQL as an escape character. ...意思是实际比较的stoname的值只是没有\\ o'store ,因为\\已被MySQL作为转义字符丢弃。
So mysqli_real_escape_string() produces a value with two changes. 所以mysqli_real_escape_string()产生一个带有两个变化的值。
First, the literal ' in your original string is backslashed escaped as \\' for use in the SQL. 首先,在原始字符串中的文字'被反斜杠转义为\\' ,以便在SQL中使用。
Then, the literal \\ already in your string is itself backslash-escaped so that it can be understood as a literal characer by MySQL rather than an escape character. 然后,你的字符串中的文字\\本身就是反斜杠转义的,这样它就可以被MySQL理解为文字字符,而不是转义字符。 That results in \\\\ . 这导致\\\\ 。 Combined with the escaped \\' , you now have \\\\\\' . 结合逃脱的\\' ,你现在有了\\\\\\' 。
MySQL receives that string \\\\\\' and is able to correctly interpret it as one literal \\ followed by one literal ' after discarding the extra \\ escape character before each. MySQL接收到该字符串\\\\\\'并且在每个字符串之前丢弃额外的\\ escape字符后,能够正确地将其解释为一个文字\\后跟一个文字' 。 The condition matches the column's actual value and your query is successful. 条件与列的实际值匹配,查询成功。
# MySQL sees an escaped \ followed by an escaped '
SELECT * FROM thedb WHERE coname='something' AND stoname='o\\\'store'
About storage... 关于存储......
We don't know much about how your table originally received its value, but I have a hunch it was stored in an escaped form. 我们不太了解你的桌子最初是如何获得它的价值的,但我有一种预感,它以逃脱的形式存储。 If the string o\\'store was originally o'store without the \\ , it suggests that an escaped value was inserted in the table. 如果字符串o\\'store最初是o'store而没有\\ ,则表示在表中插入了一个转义值。 That is not usually done, and is undesirable. 通常不会这样做,这是不可取的。 Correct use of mysqli_real_escape_string() at the time of data insertion should store the original string rather than an escaped string. 在数据插入时正确使用mysqli_real_escape_string()应该存储原始字符串而不是转义字符串。 Escaping is only done when constructing SQL statements. 只有在构造SQL语句时才会进行转义。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.