{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 霸刀☆藐视天下 的问题《mysql_real_escape more than once》','https://www.manongdao.com/q-1153106.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I was just wondering whether it makes a difference if I mysql_real_escape data more than once?
So if I escaped data in one part of my website, and then again in another part of code. Would this be a problem? Or make a difference?
相关问题
- Views base64 encoded blob in HTML with PHP
- Laravel Option Select - Default Issue
- PHP Recursively File Folder Scan Sorted by Modific
- Can php detect if javascript is on or not?
- Using similar_text and strpos together
Yes, it will be an over-escapement problem. This is the same for any escaping, regardless of what exactly it does. For instance, if you'd escape double quotes in string following common rule:
after one escaping becomes
after two becomes
and so on. Number of "unescapements" must exactly match number of "escapements". You could see manifestations of this problem on some sites that over-escape some characters in text fields, so that simple apostrophe becomes
\'on output.The right place for mysql_real_escape is right before you send the query to save the data. Every other instance anywhere else in the script is a major design flaw.
That should preferably in an own db-class of course.
Of course, data would be double-escaped.
You should not use
mysql_real_escape()at all, parameterized queries via mysqli have been sticking around long enough.Yes. You'd get extra unnecessary backslashes.
Yes, it would be a problem.
For example:
if a is "Joe's House", the first call will produce "Joe\'s House" and the second one will produce "Joe\\\'s House", saving the backslash in the database.
This is similar to the problem that arises when the web server has the magic quotes enabled and you use mysql_real_escape_string on input from the client. This is solved by:
(For the latter example see http://www.php.net/get_magic_quotes_gpc )
[I edited the answer to reflect corrections in the comments below]
It is not possible to distinguish between an escaped and an unescaped string, because the thing which looks like an escaped string was the intended unescaped string. Therefore, trying to escape again, would escape the escaping - and the escaped-once text will be what MySQL reads.
Therefore, you should never escape more than once.
However, a better solution is to use paramterized queries, since then you don't need to escape at all.