php的mysqli-> real_escape_string()将引号转换为htmlchars
[英]php's mysqli->real_escape_string() converting quotes to htmlchars
问题描述
Pretty simple piece of code; 
很简单的一段代码; accepting user input for a name (quotes/apostrophe's valid), and then storing it in a mysql db; 接受用户输入的名称(引号/撇号有效),然后将其存储在mysql数据库中;
$this->sql = new mysqli($this->host, $this->user, $this->pass, $this->dbname);
$firstname = $this->sql->real_escape_string($firstname);
$lastname = $this->sql->real_escape_string($lastname);
$sql = "INSERT INTO users
(firstname, lastname)
('{$firstname}', '{$lastname}')";
$this->sql->query($sql);
However, when in use, this is converting all quotes/apostrophe's into ' 但是,在使用时,这会将所有引号/撇号转换为' . 。
Would anyone have any ideas as to what could cause this? 谁会对此产生任何想法? I've checked through the script for any htmlspecialchars or other methods being called. 我已经检查了脚本中是否有任何htmlspecialchars或其他被调用的方法。
1 个解决方案
解决方案1
1 已采纳 2015-10-28 21:50:28
That is what real_escap_string does. 这就是real_escap_string所做的。 All characters which can be used to perform an SQL Injection attack have to be escaped. 可以用于执行SQL注入攻击的所有字符都必须转义。 See here for a full list of these "symbols" http://www.w3.org/MarkUp/html-spec/html-spec_13.html If you display them the browser renders them to what they are supposed to look like, but they are can not effect your Query any more. 有关这些“符号”的完整列表,请参见此处。http://www.w3.org/MarkUp/html-spec/html-spec_13.html如果显示它们,浏览器会将它们呈现为它们应具有的外观,但是它们将不再影响您的查询。
If you do not want to change the characters I suggest the use of prepared statements. 如果您不想更改字符,我建议使用准备好的语句。 They are the best way to prevent SQL Injection attacks. 它们是防止SQL注入攻击的最佳方法。 More on this topic can be found here: http://php.net/manual/de/mysqli.quickstart.prepared-statements.php and here: How can I prevent SQL injection in PHP? 有关此主题的更多信息,请参见: http : //php.net/manual/de/mysqli.quickstart.prepared-statements.php,以及以下内容: 如何防止PHP中的SQL注入?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.