我正在尝试使用表单将数据输入到 MySQL 中,并且也mysql_real_escape_string用于此目的。不幸的是,我的输出有问题。它显示\s,或者如果我使用stripslashes它,它会删除所有斜杠。
如果我提交web's forms using backslash \,我会得到以下输出:
"web\'s forms using backslash \\"
看到我有一个双反斜杠。但是如果我使用该stripslashes函数,那么它会删除所有斜杠,但也会删除输入的斜杠,输出是
"web's forms using backslash"
这里没有显示反斜杠,但最后应该有一个反斜杠。
问题是,如果有人在密码字段和任何其他字段中使用反斜杠,那么反斜杠将被剥离或显示两次。另外请告诉我什么最适合显示输出 htmlentities 或 htmlspecialchars
你打开了魔术引号。您需要完全禁用它们,因为它们在安全性方面不好。
将它们设置为off来自 php.ini(首选):
; Magic quotes
;
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
或者您可以在运行时禁用它们:
if (get_magic_quotes_gpc())
{
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process))
{
foreach ($val as $k => $v)
{
unset($process[$key][$k]);
if (is_array($v))
{
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
}
else
{
$process[$key][stripslashes($k)] = stripslashes($v);
}
}
}
unset($process);
}
Problems in inserting data using “safe way to input data to mysql using PHP”</p>
You should use PDO(new improved way) prepared statement which are safer and faster then there predecessors(mysql_real_escape_string, etc). Why you Should be using PHP’s PDO for Database Access goes into deeper details.
The problem is that if someone uses backslash in password field and any other filed, then the backslash will be stripped or displayed twice.And also please tell me what is best for displaying output htmlentities or htmlspecialchars.
The new and improved way is to use filter. In particular I would advise you to read all these Performance and Security slides from PHP creator Rasmus Ledorf. http://talks.php.net/ has a lot of good slides in general which you should have a look at.
使用 mysqli 库和 Prepared Statements。然后所有字符都作为数据进入,你不需要搞乱所有这些东西。