duanqianpu6499 2011-05-21 20:42
浏览 47
已采纳

addslashes函数在我尝试从数据库中检索数据时添加了一个斜杠

i need to enter a string to my database, this string may contain this caracter :', i wasn't able to enter this until i used addslashes() function, however when trying to display the string manipulated with the addslashes() later to the user it appears with the slash

$this->adresse=addslashes($this->adresse);//example : L'Arc

when trying to display it later i got : L\'Arc

for inserting into database i use the PDO like this :

$req=$bdd->prepare('Insert into ...

can you please help me, i want to prevent this caracter ' into the query but in the other side i don't want that the \ will be shown with the string .

  • 写回答

2条回答 默认 最新

  • dsasd12314 2011-05-21 20:46
    关注

    addslashes shouldn't be necessary and shouldn't be used when interacting with a database. Preferred over addslashes is whatever quote function the DB driver provides. Preferred over quote functions are prepared statement parameters, which will prevent injection attacks. Moreover, you can't forgot parameters, while you can forget to quote. For example:

    $thing = new StdClass;
$thing->foo = 'bar';
$thing->addresse = 'anywhere';
$req = $bdd->prepare('INSERT INTO table (addresse, foo) VALUES (:addresse, :foo)');
$req->execute((array) $thing);

    Not that casting an object to an array and passing that to execute is appropriate for your DAL.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 ETLCloud 处理json多层级问题
  • ¥15 matlab中使用gurobi时报错
  • ¥15 这个主板怎么能扩出一两个sata口
  • ¥15 不是,这到底错哪儿了😭
  • ¥15 2020长安杯与连接网探
  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥16 mybatis的代理对象无法通过@Autowired装填
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂