本文介绍了什么是stripslashes?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

一直在阅读有关预防SQL注入的最新消息,并且我试图在不同功能之间形成一些理解,以便我可以学习基础知识。



我已阅读 mysql_real_escape_string 我知道它基本上是逃避它认为是特殊的字符,所以它不会与SQL语法混淆?


$ b $现在,假设至少在某种程度上是正确的 - 是否需要使用 stripslashes 函数结合 mysql_real_escape_string

code>?我想知道 stripslashes 是什么以及它是干什么的。

解决方案

如果在使用 mysql_real_escape_string 后在输入上使用 stripslashes ,您将有效地撤消它。可能还有其他一些原因使用 stripslashes ,但在我的情况下,我只需要它就可以解除魔术引号的恐怖。它实际上与 addslashes 相反。

addslashes 不一定转义输入与 mysql_real_escape_string 相同,并且它们不能用于相同的目的。



甚至比 mysql_ * 更好,您应该阅读使用准备好的语句,如。那么你甚至不用担心 mysql _ * stripslashes (魔术引号除外)。


I have been reading most recently about prevention of SQL injection and I am trying to develop some sense of understanding between the different functions so that I can learn the basics.

I have read about mysql_real_escape_string and I understand that it is basically escaping characters which it deems "special" so that it is not confused for SQL syntax?

Now, assuming that is at least to some degree true - is there a need to use the stripslashes function combined with the mysql_real_escape_string? I'm wondering about what stripslashes is and what it is for.

解决方案

If you use stripslashes on input right after using mysql_real_escape_string, you will effectively undo it. There are probably other reasons to use stripslashes, but in my case I have only ever needed it to undo the horror that is magic quotes. It's actually the opposite of addslashes.

addslashes does not necessarily escape input the same as mysql_real_escape_string does, and they cannot be used for the same purpose.

Even better than mysql_*, you should read up on using prepared statements like in PDO. Then you don't even have to worry about mysql_* or stripslashes (except for magic quotes).

这篇关于什么是stripslashes?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-29 02:40