mysql_real_escape_string and single quote

后端 未结 6 1396
花落未央
花落未央 2020-12-10 19:07

I\'m quite frustrated. I want to be able to insert into my database names with single quotes - for example, O\'Connor.

So, when inserting into the DB, I do:

相关标签:
6条回答
  • 2020-12-10 19:45

    It sounds like Magic Quotes are enabled in your PHP configuration.

    To check if it's actually enabled:

    echo get_magic_quotes_gpc();
    

    To disable, edit your php.ini file:

    ; Magic quotes
    ;
    
    ; Magic quotes for incoming GET/POST/Cookie data.
    magic_quotes_gpc = Off
    
    ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
    magic_quotes_runtime = Off
    
    ; Use Sybase-style magic quotes (escape ' with '' instead of \').
    magic_quotes_sybase = Off
    

    Or add this line to your .htaccess:

    php_flag magic_quotes_gpc Off
    
    0 讨论(0)
  • 2020-12-10 19:47

    All you need to do is take the search query, mysql_real_escape_string it, and it should be perfectly fine. The best way to do this though is to never store it escaped, and instead just escape it everything is goes into the database.

    Instead, do this:

     $_SESSION['search'] = $_GET['search'];
     $search = mysql_real_escape_string($_GET['search']);
    
    0 讨论(0)
  • 2020-12-10 19:51

    Little edit to the fixinput function to check if your installation of PHP does indeed have real escape string (older versions don't):

      function fixinput($value){
        if (get_magic_quotes_gpc()){
          $value = stripslashes($value);
        }
    
        if (function_exists('mysql_real_escape_string')) {
          return mysql_real_escape_string($value);
        }
        else {
          return mysql_escape_string($value);
        }
      }
    
    0 讨论(0)
  • 2020-12-10 19:51

    When it's in the DB, it appears as O\'Connor.

    So, if I were to recall that last name in my web application, I will have to use:

     $lname = stripslashes($r["lname"]);
    

    Wrong! When you escape strings with mysql_real_escape_string, they are only escaped in the query. The database interprets the query, so the data ends up in the database without any escape-characters. You do not have to use stripslashes when pulling data out of the database. If you think you do, then it means that the data in your database is mangled. Most likely because you have magic quotes turned on.

    You should:

    • Turn off magic quotes or reverse their effect globally. See the manual for details.
    • Either use bound parameters (The best solution) or escape all variables with mysql_real_escape_string. You should do this where you are building the query.
    • Not do anything on the stuff you pull out from the database.

    In particular, do not make a function a la the fixinput and variants that is listed in some of the answers here. It is the wrong way to solve the problem, because it will mess up any data that doesn't come from a http-request.

    0 讨论(0)
  • 2020-12-10 19:57

    I dont check for get_magic_quotes_gpc is on/off.

    I just do $lname = mysql_real_escape_string(stripslashes($_POST['lname'])); so if there is not any quoted text it wont strip slashes.. if there is quoted it will strip them off.

    and it works wonders for me!

    0 讨论(0)
  • 2020-12-10 20:01

    Magic quotes are enabled. What this means is that anything placed in post or get or other similar locations is automatically escaped so that beginning programmers don't have to worry about it as much. It is deprecated in the current version of PHP, if I remember correctly.

    What you want to do to deal with this, and have the script run the same from any configuration is the following:

    function fixinput($value){
        if (get_magic_quotes_gpc()){
          $value = stripslashes($value);
        }
    
        return mysql_real_escape_string($value);
    }
    

    You may want to further modify this to wrap non-numeric data in quotes, which is a common variation, but I find it is better to place those quotes manually.

    0 讨论(0)
提交回复
热议问题