stackoom
  简体   繁体   中英

mysql_real_escape_string strange apostrophe behaviour?

 原文  2012-05-15 09:00:25       php/ str-replace/ mysql-real-escape-string

Question

I have a form and a user enters eg (note apostrophe at end of string) 

My Bday'

Now, I want to strip apostrophes, simple as that... not escape them, not add slashes just get rid of them

Firstly I have the following: 

$event_title = mysql_real_escape_string($_POST['event_title']);

echo "<br /><br /><br />event title is $event_title";

Which results in the following being returned: 

event title is My Bday\\\'

Why 3 slashes?

So, then I go ahead and deal with this by using the following: 

$event_title = str_replace("'", "", $event_title); 

$event_title = stripslashes($event_title);

Then I return it again to check results 

echo "<br /><br /><br />event title is $event_title";

I get the following: 

event title is My Bday\

Any ideas what's happening? I simply want to strip apostophes and slashes but somehow it's not happening

magic_quotes_gpc is off by the way

If I don't use stripslashes therefore leaving them in for MySQL to deal with I get the following error: 

You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near 'Private',
event_notes = '' where user_event_id = '35'' at line 3

update user_events set event_date = '2012-11-17', event_title = 'My Bday\\\',
event_vis = 'Private', event_notes = '' where user_event_id = '35'

OK, a further EDIT:

I tried this: 

$event_title = $_POST['event_title'];

$event_title = str_replace("'", "", $event_title);

$event_title = trim($event_title);

$event_title = mysql_real_escape_string($event_title);

echo "<br /><br /><br />event title is $event_title";

and I get this: 

event title is My Bday\\

I simply want to get rid of apostrophes, clearly something else is going on here but its got me!

3 answers

solution1
 3 ACCPTED  2012-05-15 09:13:19

What's happening is this:

mysql_real_escape_string escapes all the characters that should be escaped by adding a slash in front of a character being escaped. But adding just a slash will lead to storing the character as unescaped within the DB, therefore also the slash must be escaped prior to inserting...

That's why You have My BDay\\\\\\' . If this value is stored into a DB the final result will be My BDay\\' .

But when You do str_replace("'", "", 'My BDay\\\\\\''); You will end up with My BDay\\\\\\ and after calling stripslashes on this You will get My BDay\\ - that is absolutely correct!

So don't bother with how the string looks like after calling mysql_real_escape_string , just store that value into the DB and after retrieving it You will end up with My BDay' again...

EDIT How You come to just one slash from the three after calling stripslasshes ? The function goes from the start of the string to its end and looks for any slash escaped characters to remove the escaping slash. So it finds first two slashes and removes one, but still two remains (the one just processed and the third one), so it processes next two slasshes it finds that will result in just one slash remaining...

If You'd call stripslashes on the string My BDay\\\\\\' - that will lead to My BDay' ...

EDIT2 My bad... The next two slashes are added probably because You have magic_quotes_gpc ON - turn that off or call mysql_real_escape_string(stripslashes($string)) .

solution2
 0  2012-05-15 09:12:50

One slash to escape the apostrophe, the other to escape the slash that escape the apostrophe.

Internally the mysql interpret the \\' how '

solution3
 0  2012-05-15 09:32:39

in your php settings the string_splash setting is ON and that is why when the string is passed from form - it is already excapped... Now you using mysql_real_escape_string - which excapes "excape character" as well as single quote as well. and that is why three slashes..

Try using this function - which I use a lot 

function sanitize( $value )
{
    if( get_magic_quotes_gpc() )
    {
          $value = stripslashes( $value );
    }
    //check if this function exists
    if( function_exists( "mysql_real_escape_string" ) )
    {
          $value = mysql_real_escape_string( $value );
    }
    //for PHP version < 4.3.0 use addslashes
    else
    {
          $value = addslashes( $value );
    }
    return $value;
}

It is not specifically for php 4 or older years... The function works to escape string and make sure it does not double escape it ( which is the question beign asked )

if( function_exists( "mysql_real_escape_string" ) ) - this line escapes if the database connection is available and

else part of that if condition makes sure it works if database connection is not available and php 4 support is added benifit only...

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question mysql_real_escape_string and apostrophe problem mysql_real_escape_string and ’ mysql_real_escape_string does not escape " When copy & pasting text with apostrophe it is not passing through mysql_real_escape_string() MySql mysql_real_escape_string errors mysql_real_escape_string() not working in cakePHP Codeigniter Deprecated: mysql_real_escape_string(): mysql_real_escape_string for all $_POST mysql_real_escape_string() not sanitizing variable Problems with mysql_real_escape_string
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM