stackoom
  简体   繁体   中英

mysql_real_escape_string, stripslashes and htmlspecialchars

 原文  2012-11-23 11:03:42       php/ mysql/ mysql-real-escape-string/ htmlspecialchars/ stripslashes

Question

When I post a variable to the database, of course, I use mysql_real_escape_string . This way special characters go in the database as it should.

When I read this variable out of the database, I use mysql_real_escape_string again together with stripslashes : 

$var = stripslashes(mysql_real_escape_string($record['rowname']));

else it will give me slashes before quotes.

When I use this $var I mentioned above and want to echo it, I simple can echo "$var" because it has already been stripped and escaped, right?

And beside, if I use stripslashes + mysql_real_escape_string on a variable, then POST this same variable again in the database, is mysql_real_escape_string enough? Or do I need to stripslashes this variable again?

Summarized:

As I know how this works:

  1. use mysql_real_escape EVERY time when using data with mysql: when reading query through variables just as posting variables to database.
  2. Use stripslashes when echoing out escaped variables.
  3. If you want to post stripslashes and escaped variables again to the database, you dont need to stripslash it again.

Do I miss htmlspecialchars ?

EDIT

So this is all wrong? 

    while( $record=mysql_fetch_array($result) ) 
    {
        $custid=mysql_real_escape_string($record['custid']);
        $custsurname=mysql_real_escape_string($record['custsurname']);
        $custmidname=mysql_real_escape_string($record['custmidname']);
        $custforename=mysql_real_escape_string($record['custforename']);
        $custcountry=stripslashes(mysql_real_escape_string($record['custcountry'])); }

2 answers

solution1
 6  2012-11-23 11:17:46

I'm afraid you're doing it wrong. The key point is that escaping is context sensitive and you completely disregard that fact.

On every data format, there're words or characters that are assigned special meanings in the format spec. For instance, a ' symbol in SQL means "string delimiter", a ? symbol in a URL means "start query string" and a < symbol in HTML means "start tag". You need escaping when you want to insert a literal word or character, ie, you want to insert it as-is and remove its special meaning.

Once aware of that, it's clear that the syntax varies depending on the format and context. < means "start tag" in HTML but not in SQL or URLs. Thus you need to use a escaping method that's built for the target format and follows the format rules.

If you do mysql_real_escape_string() on data read from a database you're saying "escape my data so it can be injected as inside a SQL string". Your data gets ready to be used inside as a SQL string but get's corrupted for any other usage.

In this example, it happens that stripslashes() undoes most of what mysql_real_escape_string() did so you end up with an output that's basically unchanged. But that's pure chance.

Last but not least, having to escape database input parameters one by one is very annoying. All other DB extensions but the one you are using 1 offer prepared statements. Don't get stuck with a deprecated extension that doesn't offer modern stuff.

1 Note: the legacy mysql extension has been deprecated for several years, when better alternatives became available, and it's no longer part of the language.

Update: a little clarification—escaping is just a syntax trick. You don't alter the input to the eyes of the target engine, which just sees the original data as-is. So there's no need to unescape the input when you retrieve it.

solution2
 4  2012-11-23 11:11:35

You don't need to stripslashes or mysql_real_escape_string the data coming from database, you just need to escape it before you query so the query parser knows what are special characters and what are literal characters.

stripslashes should be never used (as a hack to fix some symptoms), if you are going to need a variable after escaping it, use the original one: 

$data_safe = mysql_real_escape_string( $data );
//$data can still be used normally

Escaping is only for a certain context, if the context is a mysql query then you will mysql real escape just for the query and nothing else. If the context is html output, then you will htmlescape just before outputting a string as html. At no point you want to actually modify the data itself. If you misunderstand this, you will see O\\'Brian and O&#39;Brian etc.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question mysql_real_escape_string , htmlspecialchars mistake? PHP mysql_real_escape_string() -> stripslashes() leaving multiple slashes Will mysql_real_escape_string() cancel out stripslashes()? Avoiding SQL injection using mysql_real_escape_string and stripslashes mysql_real_escape_string() -> stripslashes() -> jquery.append() Using stripslashes after mysql_real_escape_string Is mysql_real_escape_string(htmlspecialchars()) really useful ? why? Best order between stripslashes, utf8_decode, mysql_real_escape_string? mysql_real_escape_string and ’ mysql_real_escape_string(htmlspecialchars( $value )); is enough? how can i easly improve it?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM