Mysql Php使用real_escape_string转义单引号
[英]Mysql Php Escaping single quotes with real_escape_string
问题描述
I am having trouble figuring out how to clean my strings for safe queries while maintaining the meaning of the string. 
我在弄清楚如何清洁字符串以进行安全查询时遇到麻烦,同时又保持了字符串的含义。 Given the table where some of the values have single quotes or other escapable characters. 给定表,其中某些值具有单引号或其他可转义的字符。 How do I use real_escape_string and still select those values? 如何使用real_escape_string并仍然选择这些值?
my_table my_table
Col1 Col2
-----------------
1 value's1
2 value's2
value's1 is coming from the url so I have to clean it with mysqli::real_escape_string Which means that my query looks like this value's1来自url,所以我必须用mysqli :: real_escape_string清理它,这意味着我的查询看起来像这样
SELECT Col1,Col2 FROM my_table WHERE Col2 = 'value\'s1'
And of course because of this I am getting no results returned. 当然,因此,我没有得到任何结果。
What are the various strategies for dealing with this problem? 解决此问题的各种策略是什么?
Note: Just did phpinfo() and magic_quotes_gpc is 'off'. 注意: phpinfo()和magic_quotes_gpc都处于“关闭”状态。 Is it neccessary for me to clean this value I don't see how someone could do an sql injection when php only allows one query at a time? 我是否有必要清除此值,而当php一次只允许一个查询时,我看不到有人怎么做sql注入? Am i just being over cautious? 我只是过分谨慎了吗?
1 个解决方案
解决方案1
1 2011-02-06 19:45:30
if(get_magic_quotes_gpc())
{
$string = stripslashes($string);
$string = mysqli_real_escape_string($string);
}
else
{
$string = mysqli_real_escape_string($string);
}
You might want to make a function out of this 您可能想利用此功能
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.