问题描述:

I have a registration system which requests a users name. Some people have an apostrophe in their surname and it's preventing the data from being written to the MySQL database table (e.g. O'Hare).

I am using mysql_real_escape_string which is removing the apostrophe from the string. This would be fine except I need to use the value with the apostrophe against a Web Service, otherwise the Web Service will return false.

I was thinking I could do the name check with the Web Service before using mysql_real_escape_string, but could this present a security flaw? Or do SOAP Web Services already do their own checks for clean inputs?

Or is there a better way of passing through the variable whereby PHP retains the apostrophe but still keeps it secure and MySQL can accept it?

网友答案:

You should show us some code, because mysql_real_escape_string will not remove an apostrophe, but only escape them.
Escaping means O'Hare will become O\'Hare so that it can be inserted as a string: 'O\'Hare'. Upon retrieval from the database, your value should still be the original O'Hare.

So, if the apostrophe is 'lost' there likely is an error somewhere else in your program logic.

The other option is to switch from using the MySQL library to the MySQLi or PDO library for accessing your database. The latter two support prepared statements. Prepared statements are generally thought as being the best practice for querying your database.

网友答案:

mysql_real_escape_string() will not remove apostrophes.

Your problem is likely on the output side, or some other function messing with the input.

网友答案:

You need to have a database connection open before you use mysql_real_escape_string or it will malfunction.

相关阅读:
Top