2014-04-08 16:24
浏览 83


This question already has an answer here:

I am mostly working with Php 5.4+ and MySql 5.5+ versions. I am using Codeigniter for all the projects.

The problem i am facing is

Sometimes(on some production servers) when ever a POST variable contains ' or " quotes, a Database error occurs. But few times(on other servers) they work properly, i mean the quotations get inserted into tables

Though php and CI have a good facility for handling these strings with addslashes and mysql_escape_sequence etc

  1. It is not that easy to check these conditions for every possible variable that is being posted by the User

  2. Every time we have to use addslashes Ex: It\'s and while giving the output we have to again apply stripslashes to output It's. But it is difficult to handle for large values.

  3. As the Database saves the data as It\'s it is difficult to search for these strings.

For struggling for days, i found that using utf8mb4_general_ci advantageous over utf8

Accordingly i made sure the CI's Database.php have the following

    $db['default']['char_set'] = 'utf8mb4';
    $db['default']['dbcollat'] = 'utf8mb4_unicode_ci';

Also i changed the datatype for respective columns to "LONGTEXT" and its collation to "utf8mb4_general_ci"

To my surprise they worked for some servers.

But Still on some servers i found the same problem. which is bit frustrating even though i made sure the server configuration matches with those working servers.

How all php and mysql developers are working with this Scenario? what precautions are you taking?

Please suggest!!


图片转代码服务由CSDN问答提供 功能建议

此问题已经存在 这里有一个答案:

  • 如何在PHP中阻止SQL注入? 28 answers

    我主要使用 Php 5.4+和MySql 5.5+ 版本即可。 我正在为所有项目使用 Codeigniter


    有时(在某些生产服务器上)当POST变量 包含'或 “引用,发生数据库错误。但很少次(在其他服务器上)它们正常工作,我的意思是引用插入表中

    虽然 php和CI有一个很好的工具来处理这些字符串 addslashes mysql_escape_sequence

    1. 为用户发布的每个可能变量检查这些条件并不容易

    2. 每次我们必须使用addslashes Ex:It 在给出输出的同时,我们必须再次使用stripslashes来输出它。但是对于大值来说很难处理。

    3. 随着数据库保存 数据因为它很难搜索这些字符串。

      为了奋斗好几天,我找到了 使用 utf8m b4_general_ci 优于 utf8


       <  code> $ db ['default'] ['char_set'] ='utf8mb4'; 
       $ db ['default'] ['dbcollat​​'] ='utf8mb4_unicode_ci'; 

      此外,我将各列的数据类型更改为“ LONGTEXT ”,并将其归类为“ utf8mb4_general_ci


      但仍然在某些服务器上我发现了同样的问题。 即使我确保服务器配置与那些工作服务器匹配 ,这仍然令人沮丧。

      所有php和mysql开发人员如何使用此方案 ? 您正在采取什么预防措施?


  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • duan19750503 2014-04-08 16:27

    On my old projects, I just have a function DB::esc() that wraps whatever escape function goes to the library I'm using, be it mysql_real_escape_string or whatever else.

    On my new projects, I use prepared statements and let the extension handle it.

    解决 无用
    打赏 举报

相关推荐 更多相似问题