I have a complicated开发者_如何学运维 form where I first have to take some $_GET parameters and obviously I have to do a mysql_real_escape_string() on them since I look stuff up in the database with them.
Them problem for me is after the initial db lookup. When the user submits a form, I send them along as a $_POST request and obviously have to do this mysql_real_escape_string call again just in case someone tries to hack my site with a faked form submission.
Then the problem I have is the arguments are escaped twice and my queries begin to look strange like this:
select field1 , field2 , from my_table where some_id = \'.$lookup_id.\' ...
So the system seems to be adding \' and it is messing me up :) Also, in my other forms I have not seen such behavior. Any ideas on what may be causing this?
One weird thing is that I tried to send unescaped parameters to the post, and the same problem happens. That is a clue, but not a sufficient one for me. :(
The stripslashes http://php.net/manual/en/function.stripslashes.php function may be of use - run that before you do your escaping?
See this setting in your php :
http://www.tizag.com/phpT/php-magic-quotes.php
you should use prepared statements which are considered safer because user submitted string are never parsed as SQL statement, thus reducing the sql injection risk. As user strings are not parsed, you don't need to escape special chars.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论