mysql_real_escape_string奇怪的撇号行为?
[英]mysql_real_escape_string strange apostrophe behaviour?
问题描述
I have a form and a user enters eg (note apostrophe at end of string) 
我有一个表单,用户输入了例如(在字符串末尾注意撇号)
My Bday'
Now, I want to strip apostrophes, simple as that... not escape them, not add slashes just get rid of them 现在,我要去除撇号,就像那样...不逃避它们,不添加斜杠只是要摆脱它们
Firstly I have the following: 首先,我有以下几点:
$event_title = mysql_real_escape_string($_POST['event_title']);
echo "<br /><br /><br />event title is $event_title";
Which results in the following being returned: 结果返回以下内容:
event title is My Bday\\\'
Why 3 slashes? 为什么3个斜杠?
So, then I go ahead and deal with this by using the following: 因此,接下来我将使用以下方法来处理此问题:
$event_title = str_replace("'", "", $event_title);
$event_title = stripslashes($event_title);
Then I return it again to check results 然后我再次返回以检查结果
echo "<br /><br /><br />event title is $event_title";
I get the following: 我得到以下内容:
event title is My Bday\
Any ideas what's happening? 有什么想法吗? I simply want to strip apostophes and slashes but somehow it's not happening 我只是想剥去撇号和斜线,但不知何故
magic_quotes_gpc is off by the way magic_quotes_gpc顺便说一句
If I don't use stripslashes therefore leaving them in for MySQL to deal with I get the following error: 如果我不使用反斜杠,那么将其留给MySQL处理,会出现以下错误:
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near 'Private',
event_notes = '' where user_event_id = '35'' at line 3
update user_events set event_date = '2012-11-17', event_title = 'My Bday\\\',
event_vis = 'Private', event_notes = '' where user_event_id = '35'
OK, a further EDIT: OK,进一步编辑:
I tried this: 我尝试了这个:
$event_title = $_POST['event_title'];
$event_title = str_replace("'", "", $event_title);
$event_title = trim($event_title);
$event_title = mysql_real_escape_string($event_title);
echo "<br /><br /><br />event title is $event_title";
and I get this: 我得到这个:
event title is My Bday\\
I simply want to get rid of apostrophes, clearly something else is going on here but its got me! 我只是想摆脱撇号,显然这里还有其他事情在发生,但它引起了我的注意!
3 个解决方案
解决方案1
3 已采纳 2012-05-15 09:13:19
What's happening is this: 这是怎么回事:
mysql_real_escape_string escapes all the characters that should be escaped by adding a slash in front of a character being escaped. mysql_real_escape_string通过在要转义的字符前添加斜杠来转义所有应转义的字符。 But adding just a slash will lead to storing the character as unescaped within the DB, therefore also the slash must be escaped prior to inserting... 但是仅添加一个斜杠将导致在数据库中存储未转义的字符,因此在插入之前也必须转义斜杠...
That's why You have My BDay\\\\\\' . 这就是为什么您拥有My BDay\\\\\\' 。 If this value is stored into a DB the final result will be My BDay\\' . 如果将此值存储到数据库中,则最终结果将是My BDay\\' 。
But when You do str_replace("'", "", 'My BDay\\\\\\''); 但是当您执行str_replace("'", "", 'My BDay\\\\\\''); You will end up with My BDay\\\\\\ and after calling stripslashes on this You will get My BDay\\ - that is absolutely correct! 您将结束My BDay\\\\\\和调用后stripslashes这个你会得到My BDay\\ -这是绝对正确的!
So don't bother with how the string looks like after calling mysql_real_escape_string , just store that value into the DB and after retrieving it You will end up with My BDay' again... 因此,在调用mysql_real_escape_string ,不必理会字符串的样子,只需将该值存储到数据库中,并在检索到它之后,您将再次以My BDay'结尾...
EDIT How You come to just one slash from the three after calling stripslasshes ? 编辑在调用stripslasshes后,您如何只从三个斜线中stripslasshes ? The function goes from the start of the string to its end and looks for any slash escaped characters to remove the escaping slash. 该函数从字符串的开头到结尾,并查找任何使用斜杠转义的字符以删除转义的斜杠。 So it finds first two slashes and removes one, but still two remains (the one just processed and the third one), so it processes next two slasshes it finds that will result in just one slash remaining... 因此它找到了前两个斜杠并删除了一个,但仍然剩下两个(一个刚处理过,另一个第三个),因此它处理接下来发现的两个斜线,结果将只剩下一个斜杠...
If You'd call stripslashes on the string My BDay\\\\\\' - that will lead to My BDay' ... 如果您在字符串My BDay\\\\\\'上My BDay\\\\\\' -这将导致My BDay' ...
EDIT2 My bad... The next two slashes are added probably because You have magic_quotes_gpc ON - turn that off or call mysql_real_escape_string(stripslashes($string)) . EDIT2我不好...下两个斜杠被添加,可能是因为您具有magic_quotes_gpc ON-将其关闭或调用mysql_real_escape_string(stripslashes($string)) 。
解决方案2
0 2012-05-15 09:12:50
One slash to escape the apostrophe, the other to escape the slash that escape the apostrophe. 一个斜杠逃脱撇号,另一个逃脱斜杠逃脱撇号。
Internally the mysql interpret the \\' how ' 在内部mysql解释\\'如何'
解决方案3
0 2012-05-15 09:32:39
in your php settings the string_splash setting is ON and that is why when the string is passed from form - it is already excapped... Now you using mysql_real_escape_string - which excapes "excape character" as well as single quote as well. 在您的php设置中,string_splash设置为ON,这就是为什么从表单传递字符串时-它已经被排除了...现在,您使用mysql_real_escape_string-可以排除“ excape字符”以及单引号。 and that is why three slashes.. 这就是为什么三个斜杠..
Try using this function - which I use a lot 尝试使用此功能-我经常使用
function sanitize( $value )
{
if( get_magic_quotes_gpc() )
{
$value = stripslashes( $value );
}
//check if this function exists
if( function_exists( "mysql_real_escape_string" ) )
{
$value = mysql_real_escape_string( $value );
}
//for PHP version < 4.3.0 use addslashes
else
{
$value = addslashes( $value );
}
return $value;
}
It is not specifically for php 4 or older years... The function works to escape string and make sure it does not double escape it ( which is the question beign asked ) 它不是专门针对php 4或更早的版本...该函数可以对字符串进行转义,并确保它不会对它进行两次转义(这是beign提出的问题)
if( function_exists( "mysql_real_escape_string" ) ) - this line escapes if the database connection is available and if(function_exists(“ mysql_real_escape_string”))-如果数据库连接可用,则此行转义,并且
else part of that if condition makes sure it works if database connection is not available and php 4 support is added benifit only... 否则,如果条件确保数据库连接不可用并且php 4支持仅受惠,则确保其工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.