开发者

Storing values with apostrophes in the database

开发者 https://www.devze.com 2023-03-17 16:22 出处:网络
What is the industry standard inserting user input that may contain apostrophes into a database? Such an input will be displayed b开发者_如何学编程ack to users on a webpage. For example, a user update
相关专题:phpsecurity

What is the industry standard inserting user input that may contain apostrophes into a database? Such an input will be displayed b开发者_如何学编程ack to users on a webpage. For example, a user updates some field to "I'm cool". I insert it into my database with this function:

public function updateDatabase($value) {
   $value = mysql_real_escape_string($value);
   Database::instance()->query(
      'UPDATE myTable
       SET myColumn = ' . $value . '
       WHERE foo = "bar"'
   );
}

The database will now store "I\'m cool". To display this value properly and safely back to any user, I would have to clean it with this function:

public function toSafeDisplay($userGeneratedValue) {
   return stripslashes(
      htmlentities(
         $userGeneratedValue
      )   
   );
}

My concern is that doing stripslashes and htmlentities on everything I want to display on a webpage will be very processor intensive. The general concensus on StackOverflow is to not do htmlentities before inserting into the database, so that the data is as raw as possible. This would allow it to be later displayed in any medium, not just websites. So we're forced to do htmlentities at display time. Is this also true with stripslashes? Or is it possible to remove all the slashes before the apostrophes before updating the database without introducing SQL injection attacks?.

That's not how it works at all. If you escape an apostrophy going into the insert/update when you read it back into php it will NOT be escaped. If you want HTML safe data coming out of the database then make it safe before you put it in.

Notice to developers that use mysql_real_escape_string properly:

If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.

If you found out that magic_quotes_gpc is set to On turn it Off in php.ini!

Check also: http://gr.php.net/manual/en/function.mysql-real-escape-string.php

The database should not store it as I\'m cool, but rather as I'm cool. The escape is to allow the apostrophe to be included as part of the data updated in myColumn. I have seen cases where a site displays I\'m cool back to the user, but that is probably a case of double-escaping.

Edit:

mysql_real_escape_string does not store slashes in the database. It escapes the value in the SQL statement. The only way you would get extra slashes in the database is if you did something equivalent to mysql_real_escape_string(mysql_real_escape_string($value)).

0

上一篇:

:下一篇

更多 问答 相关资讯:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

    关注公众号

    热门标签

    图文推荐

    Delphi - Custom drawing a message list

    Delphi - Custom drawing a message list
    C++ header-only include pattern

    C++ header-only include pattern
    IE7 Margin Collapses Into Padding

    IE7 Margin Collapses Into Padding
    in CoffeeScript, how can I use a variable as a key in a hash?

    in CoffeeScript, how can I use a variable as a key in a hash?
    Interactive visualization of a graph in python [closed]

    Interactive visualization of a graph in python [closed]
    How to customise PHP MYSQL tables?

    How to customise PHP MYSQL tables?
    High quality, simple random password generator

    High quality, simple random password generator
    Image Recognition ApI in android

    Image Recognition ApI in android

    开发者开发者网给大家分享系统运维,大数据运维,云计算,编程开发技巧,路由交换,运维和开发相关的资讯及技术文章,同时StackOverflow中文社区,知识经验交流分享。

    法律声明:本站内容均为网友上传,网站举办方负责审核和监督,如存在版权或非法内容,欢迎举报,我们将尽快予以删除。邮箱:devze@qq.com

    Copyright © 2018-2020 开发者. All rights reserved. Powered by 开发者ICP备案号: 京ICP备10032868号-9