逃离一个字符串意味着什么?

我正在读 是否需要在进入 SQL 查询之前转义 $_ SESSION [ & # 39; username & # 39; ] ?,它说: “您需要转义传递给 sql 查询的每个字符串,而不管它的来源是什么”。现在我知道这样的东西是非常基本的。谷歌搜索出超过20,000条结果。仅 Stackoverflow 就有20页的结果,但是没有人真正解释什么是字符串转义,或者如何进行转义。这只是假设。你能帮我吗?我想学习,因为我一直在用 PHP 制作一个网络应用程序。

我看过: 插入转义字符 Java 中的所有转义字符是什么?, 不能用 addcslash () 转义字符串, 转义字符 , Mysql _ real _ escape _ string ()到底是做什么的, 如何从 php 中的字符串转义双引号? , MySQL _ real _ escape _ string 没有添加斜杠, 在 php 中删除字符串中的转义序列我还可以继续,但是我相信你已经明白了。这不是懒惰。

116261 次浏览
小开

Some characters have special meaning to the SQL database you are using. When these characters are being used in a query they can cause unexpected and/or unintended behavior including allowing an attacker to compromise your database. To prevent these characters from affecting a query in this way they need to be escaped, or to say it a different way, the database needs to be told to not treat them as special characters in this query.

In the case of mysql_real_escape_string() it escapes \x00, \n, \r,\, ', " and \x1a as these, when not escaped, can cause the previously mentioned problems which includes SQL injections with a MySQL database.

小开
最佳答案

Escaping a string means to reduce ambiguity in quotes (and other characters) used in that string. For instance, when you're defining a string, you typically surround it in either double quotes or single quotes:

"Hello World."

But what if my string had double quotes within it?

"Hello "World.""

Now I have ambiguity - the interpreter doesn't know where my string ends. If I want to keep my double quotes, I have a couple options. I could use single quotes around my string:

'Hello "World."'

Or I can escape my quotes:

"Hello \"World.\""

Any quote that is preceded by a slash is escaped, and understood to be part of the value of the string.

When it comes to queries, MySQL has certain keywords it watches for that we cannot use in our queries without causing some confusion. Suppose we had a table of values where a column was named "Select", and we wanted to select that:

SELECT select FROM myTable

We've now introduced some ambiguity into our query. Within our query, we can reduce that ambiguity by using back-ticks:

SELECT `select` FROM myTable

This removes the confusion we've introduced by using poor judgment in selecting field names.

A lot of this can be handled for you by simply passing your values through mysql_real_escape_string(). In the example below you can see that we're passing user-submitted data through this function to ensure it won't cause any problems for our query:

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));

Other methods exist for escaping strings, such as add_slashes, addcslashes, quotemeta, and more, though you'll find that when the goal is to run a safe query, by and large developers prefer mysql_real_escape_string or pg_escape_string (in the context of PostgreSQL.

小开

For simplicity, you could basically imagine the backslash "\" to be a command to the interpreter during runtime.

For e.g. while interpreting this statement:

$txt = "Hello world!";

during the lexical analysis phase ( or when splitting up the statement into individual tokens) these would be the tokens identified $, txt, =, ", Hello world!, ", and ;

However the backslash within the string will cause an extra set of tokens and is interpreted as a command to do something with the character that immediately follows it : for e.g. 

$txt = "this \" is escaped";

results in the following tokens: $, txt, =, ", this, \, ", is escaped, ", and ;

the interpreter already knows (or has preset routes it can take) what to do based on the character that succeeds the \ token. So in the case of " it proceeds to treat it as a character and not as the end-of-string command.


提交答案