问题描述
$string = "susan's"; //string is scraped from website
$string = html_entity_decode($string);
$sql = 'INSERT INTO database SET name = "'. $string .'"';
当我回显$ sql时,它显示正确的一个:INSERT INTO database SET name="susan's",但是当我运行查询时,它将susan's插入数据库中.当我从phpmyadmin手动运行查询时,它会插入正确的查询.为什么即使删除HTML实体也将它们传递给数据库?
When I echo out $sql, it shows correct one: INSERT INTO database SET name="susan's", but when I run query it inserts susan's into database. When I run query manually from phpmyadmin it inserts correct one. Why do html entities get passed to database even when I remove them?
推荐答案
您需要使用ENT_QUOTES标志常量.
按照手册:
ENT_COMPAT产生susan's的地方.
所以您的代码最终是:
$string = htmlspecialchars_decode($string, ENT_QUOTES);
注意:取决于用于插入此API的API,您需要了解转义时无需使用 stripslashes() ,并且在这种情况下可能会生成susan\'s,这是另一个不希望的结果.
Note: Depending on which API is used to insert this with, you need to be made aware that escaping it without using stripslashes() to it and should this be the case, may produce susan\'s, being another undesired result.
使用准备好的语句(如果您尚未这样做的话)应该来自用户输入.
Use a prepared statement, should this be coming from user input if you're not already doing so.
这将有助于防止SQL注入.
This will help against an SQL injection.
提示:在插入数据库之前,请务必先查看您的HTML源代码.这将确切显示将在查询中传递的内容.那也被认为是工具".
Tip: Before inserting into your database, always look at your HTML source. That will reveal exactly what it is that is going to be passed in the query. That is also considered as being a "tool".
- Echo和(HTML)源完全是两种不同的动物.
这篇关于即使我使用html_entity_decode,html实体也会传递到数据库中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!