Decoding mysql_real_escape_string() for outputting HTML

前端未结

关注

 9  2271

萌比男神i 2020-12-16 16:50

I\'m trying to protect myself from sql injection and am using:

mysql_real_escape_string($string);

When posting HTML it looks something like

9条回答

隐瞒了意图╮ (楼主)

2020-12-16 17:22

Well, I took a stab at this the old fashion way and so far I am unable to see anything wrong with my approach. Obviously it's a bit crude but it gets the job done:

function mysql_unreal_escape_string($string) {
    $characters = array('x00', 'n', 'r', '\\', '\'', '"','x1a');
    $o_chars = array("\x00", "\n", "\r", "\\", "'", "\"", "\x1a");
    for ($i = 0; $i < strlen($string); $i++) {
        if (substr($string, $i, 1) == '\\') {
            foreach ($characters as $index => $char) {
                if ($i <= strlen($string) - strlen($char) && substr($string, $i + 1, strlen($char)) == $char) {
                    $string = substr_replace($string, $o_chars[$index], $i, strlen($char) + 1);
                    break;
                }
            }
        }
    }
    return $string;
}

This should cover most cases.

0 讨论(0)

查看其它9个回答