Question

可能重复：
PHP, why do you escape my quotes?

如果我输入文本不是例如在输入字段中然后尝试显示它或使用PHP mysqli准备语句将其保存到MySQL我在单引号之前得到一个额外的反斜杠。

$name = $_POST['name'];
echo "name=($name)";

这输出：别我还得到了存储在MySQL中的额外反斜杠。

我怎么能避免这种情况并仍能输入反斜杠？

此致马格纳斯斯特兰德

Answer 1

使用stripslashes，

echo stripslashes("Who\'s Kai Jim?"); //Who's Kai Jim?

Answer 2

打开你的php.ini文件并转到第460行（差不多）并关闭魔术引号。像

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

保持Magic Quotes Off是一个很好的技术，从您的应用程序安全性开始。魔术引言本来就被打破了。它们用于清理PHP脚本的输入，但不知道如何使用该输入，就无法正确清理。

关于魔术引号的PHP手册页同意：

"This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged. Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed."

使用单引号将表单数据存储到MySQL

2 个答案: