开发者

I am looking for a way to safely insert a string to a database?

开发者 https://www.devze.com 2023-04-13 00:16 出处:网络
$comment= mysql_real_escape_string($comment); I use this.. But it doesnt help. I use TinyMCE to insert strings to my database, but on selection I get weird characters...
 $comment= mysql_real_escape_string($comment);

I use this.. But it doesnt help. I use TinyMCE to insert strings to my database, but on selection I get weird characters...

× ×›×ª×‘ על ידי
\\r\\n

\r\n \r\n

Is thre to parse/enode the string before it goes to the database?!? without this happening?

UPDATE:

This is how the text that goes into the database looks like:

   t;div class=\"entry\" style=\"padding-top: 20px; padding-right: 20px; padding-bottom: 10px; padding-left: 20px; margin:

0px;\">\r\n<div class=\"entrymeta\" style=\"padding: 0px; margin: 0px;\">osted on 15.10.2011 at 11:04 in&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" title=\"View all posts in Games\" href=\"http://www.rlslog.net/category/games/\" rel=\"category tag\">Games</a>,&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" title=\"View all posts in PC\" href=\"http://www.rlslog.net/category/games/pc/\" rel=\"category tag\">PC</a>&nbsp;by&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" title=\"Posts by Frado\" href=\"http://www.rlslog.net/author/frado/\">Frado</a></div>\r\n<div class=\"entrybody\" style=\"padding: 0px; margin: 0px;\">\r\n<p style=\"padding-top: 1em; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; line-height: 19px; margin: 0px;\">SKIDROW releases a fix for Orcs Must Die, read the NFO for details.</p>\r\n<p style=\"padding-top: 1em; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; line-height: 19px; margin: 0px;\"><strong style=\"padding: 0px; margin: 0px;\">Description</strong>: Slice them, burn them, skewer them, and launch them &ndash; no matter how you get it done, orcs must die in this fantasy action-strategy game from Robot Entertainment.As a powerful War Mage with dozens of deadly weapons, spells, and traps at your fingertips, defend twenty-four fortresses from a rampaging mob of beastly enemies, including ogres, hellbats, and of course, a whole bunch of ugly orcs. Battle your enemies through a story-based campaign across multiple difficulty levels, including brutal Nightmare mode!</p>\r\n<p style=\"padding-top: 1em; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; line-height: 19px; margin: 0px;\" align=\"center\"><img style=\"border-width: 1px; border-color: #cccccc; border-style: solid; padding: 5px; margin: 5px;\" src=\"http://i27.lulzimg.com/4a9c85ba50.jpg\" alt=\"\" width=\"493\" height=\"278\" /></p>\r\n<p style=\"padding-top: 1em; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; line-height: 19px; margin: 0px;\"><strong style=\"padding: 0px; margin: 0px;\"><br style=\"padding: 0px; margin: 0px;\" /></strong></p>\r\n<p style=\"padding-top: 1em; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; line-height: 19px; margin: 0px;\"><strong style=\"padding: 0px; margin: 0px;\">Release name</strong>: Orcs.Must.Die.Fix-SKIDROW<br style=\"padding: 0px; margin: 0px;\" /><strong style=\"padding: 0px; margin: 0px;\">Size</strong>: 39,1 KB<br style=\"padding: 0px; margin: 0px;\" /><strong style=\"padding: 0px; margin: 0px;\">Links</strong>:&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://www.robotentertainment.com/games/orcsmustdie\">Homepage</a>&nbsp;&ndash;&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://store.steampowered.com/app/102600/\">Steam</a>&nbsp;&ndash;&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://uk.pc.ign.com/objects/080/080529.html\">iGN</a>&nbsp;&ndash;&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://www.gametrailers.com/game/orcs-must-die/14641\">Gametrailers</a>&nbsp;&ndash;&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://nfo.rlslog.net/view/29500\">NFO</a></p>\r\n<p style=\"padding-top: 1em; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; line-height: 19px; margin: 0px;\"><strong style=\"padding: 0px; margin: 0px;\">Download</strong>:&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://www.filesonic.com/file/2568940201\">FiLESONiC&nbsp;</a>-&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://www.fileserve.com/file/RsfZMT4\">FiLESERVE</a>&nbsp;&ndash;&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://www.newtorrents.info/search/Orcs.Must.Die.Fix-SKIDROW\">NTi</a></p>\r\n<p style=\"padding-top: 1em; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; line-height: 19px; margin: 0px;\"><iframe style=\"border-width: initial; border-color: initial; overflow-x: hidden; overflow-y: hidden; width: 450px; height: 35px; border-style: none; padding: 0px; margin: 0px;\" src=\"http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fwww.rlslog.net%2Forcs-must-die-fix-skidrow%2F&amp;layout=standard&amp;show_faces=false&amp;width=450&amp;action=like&amp;colorscheme=light&amp;height=35\" frameborder=\"0\" scrolling=\"no\"></iframe></p>\r\n<p class=\"comments_link\" style=\"padding-top: 20px; padding-right: 0px; padding-bottom: 10px; padding-left: 0px; line-height: 19px; margin: 0px;\"><a style=\"color:

c02e13; text-decoration: none; padding: 0px; margin: 0px;\" title=\"Comment on Orcs Must Die Fix-SKIDROW\"

href=\"http://www.rlslog.net/orcs-must-die-fix-skidrow/开发者_开发问答#respond\">Comments(0)</a></p>\r\n</div>\r\n</div>\r\n<div style=\"padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 40px; margin: 0px;\"><iframe style=\"padding: 0px; margin: 0px;\" src=\"http://www.roadcomponentsdb.com/300.htm\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"NO\" width=\"300\" height=\"250\"></iframe></div>\r\n<p id=\"nextlinks\" style=\"padding-top: 20px; padding-right: 20px; padding-bottom: 0px; padding-left: 20px; margin: 0px;\"><strong style=\"padding: 0px; margin: 0px;\">Previous post:</strong>&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://www.rlslog.net/musclemag-international-%e2%80%93-december-2011-p2p/\">MuscleMag International &ndash; December 2011-P2P</a></p>


Two suggestions:

  1. Ditch the mysql_XXX API. It's going to be scrapped at some point, and it lacks crucial features, most notably parametrized queries. If you don't know what parametrized queries are, go read. They're the only sane way of keeping your SQL connectivity code sane. For PHP, I'd recommend PDO - it's a tad bit less straightforward, but it is well worth the learning curve.
  2. Make sure your charsets / encodings are correct. The easiest thing to do these days is to use Unicode (utf-8) for everything. You need to set the encoding in the database itself (if you can; in MySQL you need to do this per table and per column, which can be quite a hassle if you have to retro-fit it), the connection encoding (just call SET NAMES UTF-8 first thing after you establish a connection), php's internal encoding (mb_internal_encoding), and the output encoding (mb_http_output). Also, make sure you are actually outputting UTF-8; this means that all your source files and templates should also be saved in utf-8 encoding.

And whatever you do: NEVER EVER CONCATENATE OR SUBSTITUTE VALUES INTO QUERIES. Code like this: mysql_query("SELECT * FROM users WHERE USERNAME = '$username'"); should be illegal - there are just too many ways to shoot yourself in the foot with this and introduce SQL injection vulnerabilities. (And if you don't know what SQL injection is, read up on that one too).

Finally; a few hints on how you can debug your situation.

  • set up MySQL query logging. There's a setting in my.ini which will cause the MySQL server to dump all incoming queries into a log file. You don't want to do this on a production server, and you only want to enable it temporarily, but it's a great tool to see what actually gets sent to the server.
  • log into MySQL using the command-line client, and see what it outputs if you fire the same queries manually.
  • debug your PHP - make sure the values you're sending to the server are what you think they are - if you don't have a debugger at hand, peppering your script with print statements is better than nothing (just remember to remove them before committing)


This (additionally) looks like you have magic_quotes_gpcDocs enabled. This is an insecure server setting and it destroys your data.

See also:

  • get_magic_quotes_gpcDocs
  • Does using magic_quotes() affect the use of mysql_real_escape_string()
  • Magic quotes in PHP


Use prepared statements instead of escaping and see if that helps. Also check the code pages/ characters sets are correct.


It is very simple actually..

for example suppose i want 2 insert a string "Welcome" in my table then i have to write query like this :

insert into mytable (name) values ('welcome')

if you are insert your record dynamically means in php or any language then write like this

$string = "welcome"; mysql_query("insert into mytable name values ('".$string."')");

and for security purpose also just enable the magic quotes ...please visit for more information

http://www.php.net/manual/en/function.get-magic-quotes-gpc.php

0

精彩评论

暂无评论...
验证码 换一张
取 消