: This article mainly introduces the changes in the character string passing process. if you are interested in the PHP Tutorial, please refer to it. Description:
The frontend input content is :;? 9 W/U \ | "s6u |: M
However, when it is passed to the backend and then saved to the database, it becomes :;? 9 W/U | "s6u |: M
Why?
What's going on?
1: I found that it was correct before being inserted into the database.
2: Use the heidisql tool to change the value. The SQL statement displayed is:
UPDATE`bitstorm_http_node`.`config_user_pwd`SET`Password`=';?9W/U\\|"s6u|:M'WHERE`Id`=14;
We found that before the insert operation, the program added the escape to the value to escape the special symbol '\'
Why does it escape? Is it because the single quotation marks and double quotation marks of strings are involved?
If the character is placed between single quotes, the vast majority of characters except single quotes will be interpreted as the same form as those written in code.
Strings placed between double quotation marks support insertion and replacement (the variables embedded in the string will be replaced with their content), and escape characters will also be replaced, such as replacing \ n with line breaks, replace \ t with tab and \ \\. Similarly, \ | it will be interpreted as |
If you place the SQL statement of the above PHP code in single quotes, it will be an invalid SQL statement:
Invalid query
Insert into 'bitstorm _ http_node '. 'config _ user_pwd '('id', 'domain _ name', 'username', 'password') VALUES (0, "mdc-mon-tg-zabvip01.ubisoft.onbe", "cheng. wang ",";? 9 W/U \ | "s6u |: M ");
Solution:
In PHP: not every piece of escaped data must beInsert dataLibrary, if all the data into PHP is escaped, it will have a certain impact on the execution efficiency of the program, it will produce performance problems.
It is more efficient to call escape functions (such as addslashes () at runtime.
So obviously, hereInsert dataWe need to escape the library, so you can manually escape the library by calling the addslashes () function where you need to escape.
$ Pwd = addslashes ($ pwd); // add this line of code and save it to the database. OK, solve the problem if ($ zabbixHelper = false) {return $ this-> returnError ("Invalid input: Can not login zabbix using this username and password. ");} $ SQL =" INSERT INTO 'bitstorm _ http_node '. 'config _ user_pwd '('id', 'domain _ name', 'username', 'password') VALUES (0 ,'". $ domainName. "','". $ username. "','". $ pwd. "');"; $ this-> callSqlQuery ($ SQL ));
Finally, in PHP, sometimes escape after json encoding:
$ Parameters = addslashes (json_encode ($ args ));
The above describes the changes in the character string transmission process, including the content of data insertion, hope to be helpful to friends who are interested in the PHP Tutorial.