mysql_real_escape_string（）但允许带撇号的名称

This is probably a common thing but I have a question. Allow apostrophes while still maintaining the mysql_real_escape_string() tag.

I have this: $name = stripslashes(mysql_real_escape_string($_POST['stadium_name']));

and I test it on this:

$getInfoX = mysql_fetch_array(mysql_query("SELECT * FROM `stadiums` WHERE `stadium_name` = '$stadium_name'")) or die(mysql_error());

I could do an example inject like x'; DROP TABLE members; -- or a name with apostrophes like Stade de l'Aube... but the name with apostrophes get me an error like:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Aube'' at line 1

What do I do?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
drctyr2869 2012-11-09 02:54
关注
You chain the result of mysql_real_escape_string through stripslashes which basically removes everything mysql_real_escape_string added for safety reasons.

So if you have $stadium_name= "Fred's Stadium"; as input mysql_real_escape_string($stadium_name) returns "Fred\'s Stadium" which can be included into you query safely generating

"SELECT * FROM `stadiums` WHERE `stadium_name` = 'Fred\'s Stadium'"

as MySQL-query. Calling stripslashes on the mysql_real_escape_stringoutput removes the \ in front of the ' so you send the query

"SELECT * FROM `stadiums` WHERE `stadium_name` = 'Fred's Stadium'"

to MySQL thinks your string is 'Fred' followed by some garbage (which can turn out to be dangerous).

Solution is to use a separate variable to store the result of mysql_real_escape_string, as it is correct for usage in database queries but unsuitable to be displayed back to the user.

I hope this helps.

Regards

TC
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(1条)

报告相同问题？

关注问题

mysql_real_escape_string（）但允许带撇号的名称 mysql php
2012-11-09 02:41

回答 2 已采纳 You chain the result of mysql_real_escape_string through stripslashes which basically removes ever
php mysql_real_escape_string转换为mysqli [复制] html mysql php
2016-08-30 17:57

回答 3 已采纳 I think you want this <?php $con=mysqli_connect("localhost","my_user","my_password","my_db");
使用mysql_real_escape_string后，在textarea中显示多行 html mysql php
2012-11-30 13:00

回答 3 已采纳 you probably have magic_quotes turned on, check it with echo get_magic_quotes_gpc() or else you w
PHP函数addslashes和mysql_real_escape_string的区别
2020-10-26 00:46

主要介绍了PHP函数addslashes和mysql_real_escape_string的区别,以及一个SQL注入漏洞介绍,需要的朋友可以参考下
使用mysql_real_escape_string编码错误，返回空字符串 mysql php
2013-06-13 12:28

回答 1 已采纳 mysql_real_escape_string considers the current connection character set. Your ISO-8859-1 scripts s
mysql_real_escape_string（）出错 php
2013-08-02 12:59

回答 1 已采纳 According to the documentation: If the link identifier is not specified, the last link opened
mysql_real_escape_string和json json mysql php
2012-07-30 12:11

回答 3 已采纳 You shouldn't use already prepared JSON string. You should use json_encode(); function to create
mysql_real_escape_string c api_mysql_real_escape_string
2021-03-03 23:48

高三垃圾的博客 } if (function_exists('mysql_real_escape_string') AND is_resource($this->conn_id)) { $str = mysql_real_escape_string($str, $this->conn_id); } elseif (function_exists('mysql_escape_string')) { $str = ...
使用mysql_real_escape_string的速度 mysql php
2014-04-03 21:28

回答 2 已采纳 The mysql_real_escape_string() already searches the string for apostrophes and other characters, a
mysql_real_escape_string和array_map返回空字符串？ mysql php
2013-09-05 00:05

回答 3 已采纳 array_map returns new array, if you're overwriting $_POST, better solution would be to use array_w
PHP在表名中从mysql_real_escape_string更改为PDO [duplicate] mysql php sql
2014-01-24 13:15

回答 1 已采纳 You won't be able to escape the table name (I hope that $tablename isn't coming from an outside so
php mysql_real_escape_string addslashes及mysql绑定参数防SQL注入攻击
2020-10-20 19:20

主要介绍了php mysql_real_escape_string addslashes及mysql绑定参数防SQL注入攻击的相关资料,需要的朋友可以参考下
mysql_real_escape_string导致网站连接错误 mysql php
2013-02-08 08:58

回答 4 已采纳 For mysql_real_escape_string to work, you first have to connect to MySQL via mysql_connect
php mysql_real_escape_string函数用法与实例教程
2021-01-20 00:35

语法mysql_real_escape_string(string,connection) 参数描述 string 必需。规定要转义的字符串。 connection 可选。规定 MySQL 连接。如果未规定，则使用上一个连接。说明本函数将 string 中的特殊字符转义...
mysql_real_escape_string()_mysql_real_escape_string() | 学步园
2021-03-15 11:56

林桂鑫的博客 19.7.3.53.mysql_real_escape_string()unsigned long mysql_real_escape_string(MYSQL *mysql, char *to, const char *from, unsigned long length)Note that mysql must be a valid, open connection. This is nee....
没有解决我的问题, 去提问

悬赏问题

¥15 装 pytorch 的时候出了好多问题，遇到这种情况怎么处理？
¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
¥15 手机接入宽带网线，如何释放宽带全部速度
¥30 关于#r语言#的问题：如何对R语言中mfgarch包中构建的garch-midas模型进行样本内长期波动率预测和样本外长期波动率预测
¥15 ETLCloud 处理json多层级问题
¥15 matlab中使用gurobi时报错
¥15 这个主板怎么能扩出一两个sata口
¥15 不是，这到底错哪儿了😭
¥15 2020长安杯与连接网探
¥15 关于#matlab#的问题：在模糊控制器中选出线路信息，在simulink中根据线路信息生成速度时间目标曲线（初速度为20m/s，15秒后减为0的速度时间图像）我想问线路信息是什么

mysql_real_escape_string（）但允许带撇号的名称

2条回答 默认 最新

悬赏问题

2条回答默认最新