堆栈内存溢出
  简体   繁体   English

mysql_real_escape_string没有逃脱“

[英]mysql_real_escape_string does not escape "

 原文  2011-12-08 22:20:43       php/ mysql/ wordpress/ mysql-real-escape-string

问题描述

In PHP, I am escaping characters before insert in a MySQL database using mysql_real_escape_string 在PHP中,我在使用mysql_real_escape_string插入MySQL数据库之前转义字符 

$array_to_insert = array_map('mysql_real_escape_string', $my_arr);
$mysql->setTbl("mytable");
$id = $mysql->insertArray($array_to_insert);

When saving, double quotes are being saved as escaped with a \\ . 保存时,双引号将被保存为使用\\转义。 I do not want this, since some of the data is HTML and it may contain tags like <a href="www.stackoverflow.com"> etc, which will be saved as <a href=\\"www.stackoverflow.com\\"> and then displayed incorrectly in a WordPress setup. 我不想要这个,因为有些数据是HTML,它可能包含<a href="www.stackoverflow.com">等标签,它们将保存为<a href=\\"www.stackoverflow.com\\">然后在WordPress设置中显示不正确。

I have read elsewhere on stackoverflow that to avoid escaping the double quotes, one must first insert (as above) then select and insert into a table again. 我已经在stackoverflow上的其他地方读过,为了避免转义双引号,必须首先插入(如上所述)然后再次选择并插入表中。

Is there a way to solve this issue without having to select and re-insert? 有没有办法解决这个问题,而无需选择和重新插入?

Thanks (note: the database I am using is in utf-8 format) 谢谢(注意:我使用的数据库是utf-8格式)

2 个解决方案

解决方案1
 4  2011-12-08 22:24:37

Your server may have magic_quotes enabled. 您的服务器可能启用了magic_quotes。 Check it with 检查一下 

var_dump( get_magic_quotes_gpc() );

Otherwise, it's probably something you are doing beforehand or that your db library is doing. 否则,它可能是您事先正在做的事情或您的数据库库正在做的事情。 mysql_real_escape_string only escapes the string so that it is safe to use in a SQL query. mysql_real_escape_string只转义字符串,以便在SQL查询中使用它是安全的。 It can't help if the string is already escaped to begin with. 如果字符串已经开始转义,它就无济于事。

解决方案2
 2 已采纳  2011-12-08 23:11:59

You could always strip slashes on the way out using http://php.net/manual/en/function.stripslashes.php 您可以使用http://php.net/manual/en/function.stripslashes.php随时删除斜线

for instance: 例如: 

$sql = "SELECT * FROM table_name";
$result = mysql_query($sql) or mysql_error();
while ($output = mysql_fetch_assoc($result)) {
  echo stripslashes($output['column_name']);
}

alternatively, just remove all escaped double quotes: 或者,只需删除所有转义的双引号: 

echo str_replace('\"', '"', $output['column_name']);

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 mysql_real_escape_string和' - mysql_real_escape_string and ’ MySql mysql_real_escape_string错误 - MySql mysql_real_escape_string errors 为什么我的mysql_real_escape_string不起作用? - Why does my mysql_real_escape_string not work? PHP mysql_real_escape_string()保护数据库名称吗? - does PHP mysql_real_escape_string() protect database name? mysql_real_escape_string() 到底是做什么的? - what does mysql_real_escape_string() really do? mysql_escape_string VS mysql_real_escape_string - mysql_escape_string VS mysql_real_escape_string mysql_real_escape_string函数不起作用 - mysql_real_escape_string function not working 这些mysql_real_escape_string用法是否相同? - Are these mysql_real_escape_string usages same? mysql_real_escape_string和特殊字符 - mysql_real_escape_string and special characters mysql_real_escape_string无效 - mysql_real_escape_string not working
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM