[英]mysqli query issue. mysqli_real_escape_string error
Having trouble with a mysqli query - specifically the WHERE stoname=
clause. 遇到mysqli查询问题 - 特别是
WHERE stoname=
子句。
This doesn't work: 这不起作用:
$result = @mysqli_query($dbc, "SELECT * FROM thedb WHERE coname='{$_SESSION['user']}' AND stoname='{$_SESSION['store']}' ");
If I echo $_SESSION['store']
then it prints as o\\'store
which matches what's the in the database. 如果我回显
$_SESSION['store']
那么它会打印为o\\'store
,它与数据库中的内容相匹配。 Yet this doesn't work. 然而,这不起作用。
However, if I echo mysqli_real_escape_string($dbc,($_SESSION['store']))
then it prints o\\\\\\'store
which is NOT what's in the database. 但是,如果我回
mysqli_real_escape_string($dbc,($_SESSION['store']))
那么它会打印o\\\\\\'store
,这不是数据库中的内容。 Yet it works. 但它确实有效。
$result = @mysqli_query($dbc, "SELECT * FROM thedb WHERE user='{$_SESSION['user']}' AND stoname='".mysqli_real_escape_string($dbc,($_SESSION['store']))."' ");
I accept that I have working code, but I'm confused as to why this the case. 我接受我有工作代码,但我很困惑为什么会这样。 Can anyone explain what I've done / am doing wrong?
任何人都可以解释我做了什么/做错了什么? Thanks
谢谢
If your table literally contains o\\'store
then mysqli_real_escape_string()
has done its job correctly. 如果你的表字面上包含
o\\'store
那么mysqli_real_escape_string()
已正确完成其工作。 The function's purpose is to escape a string for safe inclusion inside a SQL statement, not to be an exact literal match for what is actually already in your table. 该函数的目的是转义字符串以安全包含在SQL语句中,而不是与表中实际存在的字符完全匹配。
The table value contains literally \\'
. 该表值包含字面
\\'
。 When you use that value directly in the SQL statement, the backslash is misinterpreted as an escape character to the '
rather than as a literal \\
as appears in your table. 当您在SQL语句中直接使用该值时,反斜杠会被误解为表格中显示的
'
而不是文字\\
'
的转义字符。 So the query produces no results because the executed SQL statement is: 因此,查询不会产生任何结果,因为执行的SQL语句是:
# MySQL sees only an escaped ' and no \
SELECT * FROM thedb WHERE coname='something' AND stoname='o\'store'
...meaning the value of stoname
actually compared is just o'store
without \\
, because \\
has been discarded by MySQL as an escape character. ...意思是实际比较的
stoname
的值只是没有\\
o'store
,因为\\
已被MySQL作为转义字符丢弃。
So mysqli_real_escape_string()
produces a value with two changes. 所以
mysqli_real_escape_string()
产生一个带有两个变化的值。
First, the literal '
in your original string is backslashed escaped as \\'
for use in the SQL. 首先,在原始字符串中的文字
'
被反斜杠转义为\\'
,以便在SQL中使用。
Then, the literal \\
already in your string is itself backslash-escaped so that it can be understood as a literal characer by MySQL rather than an escape character. 然后,你的字符串中的文字
\\
本身就是反斜杠转义的,这样它就可以被MySQL理解为文字字符,而不是转义字符。 That results in \\\\
. 这导致
\\\\
。 Combined with the escaped \\'
, you now have \\\\\\'
. 结合逃脱的
\\'
,你现在有了\\\\\\'
。
MySQL receives that string \\\\\\'
and is able to correctly interpret it as one literal \\
followed by one literal '
after discarding the extra \\
escape character before each. MySQL接收到该字符串
\\\\\\'
并且在每个字符串之前丢弃额外的\\
escape字符后,能够正确地将其解释为一个文字\\
后跟一个文字'
。 The condition matches the column's actual value and your query is successful. 条件与列的实际值匹配,查询成功。
# MySQL sees an escaped \ followed by an escaped '
SELECT * FROM thedb WHERE coname='something' AND stoname='o\\\'store'
We don't know much about how your table originally received its value, but I have a hunch it was stored in an escaped form. 我们不太了解你的桌子最初是如何获得它的价值的,但我有一种预感,它以逃脱的形式存储。 If the string
o\\'store
was originally o'store
without the \\
, it suggests that an escaped value was inserted in the table. 如果字符串
o\\'store
最初是o'store
而没有\\
,则表示在表中插入了一个转义值。 That is not usually done, and is undesirable. 通常不会这样做,这是不可取的。 Correct use of
mysqli_real_escape_string()
at the time of data insertion should store the original string rather than an escaped string. 在数据插入时正确使用
mysqli_real_escape_string()
应该存储原始字符串而不是转义字符串。 Escaping is only done when constructing SQL statements. 只有在构造SQL语句时才会进行转义。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.