Phpmysql character Escape & lt; inputtype = namevalue = 'I' saappl'/& gt; background processing $ name = addslashes ($ _ POST ['name']); // is the php mysql character escape problem when the single quotation mark insert is escaped?
Background processing
$ Name = addslashes ($ _ POST ['name']); // Escape single quotes
During the insert operation, are they stored in the database together with escape characters? Or are escape characters removed?
If it is stored in the database with an escape symbol, a small problem occurs.
If you want to check whether the name is repeated, you need to compare the $ name.
Escape $ name = addslashes ($ _ POST ['name']);
SELECT count (*) AS num FROM talbe WHERE name = $ name
Num is 0, that is, the same value cannot be found,
Print the SQL statement AS SELECT count (*) AS num FROM talbe WHERE name = 'This/'s a apple'
The num value is zero. I opened the database and found that the value of the name field is this/'s a apple.
If you escape $ name again, the value of $ name is this //'s a apple.
That is to say, the addslashes function is used twice.
How can we solve this problem? Isn't it difficult to use it twice?
------ Solution --------------------
Then, if Php. if magic_quotes_gpc is enabled for ini, the cookie, post, and get will all pass through addslashes by default. for example, if the user uploads li 'Lei, then you get the $ _ POST ['name'] li \ 'Lei, which is directly spliced into the SQL:
Select * from table where name = 'Li \ 'lei'. you don't need addslashes.
If you give it addslashes, it will be abnormal, because \ will also affect the mysql parsing command, so addslashes will also transfer it, and the result will be really abnormal:
Addslashes ("li \ 'Lei"); the generated li \ 'Lei is combined into SQL:
Select * from table where name = 'Li \ 'lei'. after receiving the database, it is actually li \ 'Lei, with one more \.
In addition, stripslashes is rarely used, because it is generally only php. when magic_quotes_gpc (get, post, cookie) is enabled by default in ini, if we want to use the value actually submitted by the user, such as li 'Lei, stripslashes ($ _ POST ['name']) is required. here, the name is the li \ 'Lei that has been automatically addslahes, and the strip is the li 'Lei.
If it is not strip, it is output to the page and the user will see li \ 'Lei.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
