使用 PDO 通过 PHP 保存到 mysql 时字符串会发生变异
String gets mutated when saving to mysql via PHP using PDO
这是sql:
INSERT INTO stepup (target, body) VALUES ('http://test.com/dev-ws/events', '{"username":"Unknown","verb":"answer","object":"http:\/\/localhost\/elgg\/answers\/view\/42954\/q1","context":{"course":"42902","phase":"1","widget_type":"questions","activity_id":"95c48","widget_title":"Wonder moment"},"originalrequest":{"value":{"description":"<p>\u041f\u0440\u043e\u0443\u0447\u0432\u0430\u043d\u0435<\/p>","question_id":42954}},"starttime":"2015-03-26 17:28:57 +0100","endtime":"2015-03-26 17:28:57 +0100"}')
那我就$conn->exec($sql);
但是DB(mysql)中body的实际内容是:
"{\"username\":\"Unknown\",\"verb\":\"answer\",\"object\":\"http://localhost/elgg/answers/view/42954/q1\",\"context\":{\"course\":\"42902\",\"phase\":\"1\",\"widget_type\":\"questions\",\"activity_id\":\"95c48\",\"widget_title\":\"Wonder moment\"},\"originalrequest\":{\"value\":{\"description\":\"<p>u041fu0440u043eu0443u0447u0432u0430u043du0435</p>\",\"question_id\":42954}},\"starttime\":\"2015-03-26 17:28:57 +0100\",\"endtime\":\"2015-03-26 17:28:57 +0100\"}"
所以 \u 被替换为 u :(
我能做什么..我认为不 "preparing" SQL,这将停止发生...
在 postgre 中:
\uxxxx, \Uxxxxxxxx (x = 0 - 9, A - F) 16 or 32-bit hexadecimal Unicode character value
请检查:
String Constants with C-style Escapes
求解:
您可以使用 \ 或 regexp_replace(c, '[^\]\(u\d{4})', '\\\1', 'g');
你必须使用 PDO->quote()。
访问http://php.net/manual/en/pdo.quote.php了解更多详情
您可能还想阅读有关 NO_BACKSLASH_ESCAPES sql 模式的 MySQL
您似乎正在将 JSON 内容注入到查询中的 SQL 字符串文字中。您可能有 SQL 注入安全漏洞,这比 \u 序列丢失更严重。
您应该使用参数化查询以避免必须考虑转义规则。例如在 PDO 中:
$url= 'http://test.com/dev-ws/events';
$json= '{"username":"Unknown","verb":"answer","object":"http://localhost/elgg/answers/view/42954/q1","context":{"course":"42902","phase":"1","widget_type":"questions","activity_id":"95c48","widget_title":"Wonder moment"},"originalrequest":{"value":{"description":"<p>\u041f\u0440\u043e\u0443\u0447\u0432\u0430\u043d\u0435</p>","question_id":42954}},"starttime":"2015-03-26 17:28:57 +0100","endtime":"2015-03-26 17:28:57 +0100"}';
$q= $db->prepare('INSERT INTO stepup (target, body) VALUES (?, ?)');
$q->bindParam(1, $url, PDO::PARAM_STR);
$q->bindParam(2, $json, PDO::PARAM_STR);
$q->execute();
这是sql:
INSERT INTO stepup (target, body) VALUES ('http://test.com/dev-ws/events', '{"username":"Unknown","verb":"answer","object":"http:\/\/localhost\/elgg\/answers\/view\/42954\/q1","context":{"course":"42902","phase":"1","widget_type":"questions","activity_id":"95c48","widget_title":"Wonder moment"},"originalrequest":{"value":{"description":"<p>\u041f\u0440\u043e\u0443\u0447\u0432\u0430\u043d\u0435<\/p>","question_id":42954}},"starttime":"2015-03-26 17:28:57 +0100","endtime":"2015-03-26 17:28:57 +0100"}')
那我就$conn->exec($sql);
但是DB(mysql)中body的实际内容是:
"{\"username\":\"Unknown\",\"verb\":\"answer\",\"object\":\"http://localhost/elgg/answers/view/42954/q1\",\"context\":{\"course\":\"42902\",\"phase\":\"1\",\"widget_type\":\"questions\",\"activity_id\":\"95c48\",\"widget_title\":\"Wonder moment\"},\"originalrequest\":{\"value\":{\"description\":\"<p>u041fu0440u043eu0443u0447u0432u0430u043du0435</p>\",\"question_id\":42954}},\"starttime\":\"2015-03-26 17:28:57 +0100\",\"endtime\":\"2015-03-26 17:28:57 +0100\"}"
所以 \u 被替换为 u :(
我能做什么..我认为不 "preparing" SQL,这将停止发生...
在 postgre 中:
\uxxxx, \Uxxxxxxxx (x = 0 - 9, A - F) 16 or 32-bit hexadecimal Unicode character value
请检查: String Constants with C-style Escapes
求解: 您可以使用 \ 或 regexp_replace(c, '[^\]\(u\d{4})', '\\\1', 'g');
你必须使用 PDO->quote()。
访问http://php.net/manual/en/pdo.quote.php了解更多详情
您可能还想阅读有关 NO_BACKSLASH_ESCAPES sql 模式的 MySQL
您似乎正在将 JSON 内容注入到查询中的 SQL 字符串文字中。您可能有 SQL 注入安全漏洞,这比 \u 序列丢失更严重。
您应该使用参数化查询以避免必须考虑转义规则。例如在 PDO 中:
$url= 'http://test.com/dev-ws/events';
$json= '{"username":"Unknown","verb":"answer","object":"http://localhost/elgg/answers/view/42954/q1","context":{"course":"42902","phase":"1","widget_type":"questions","activity_id":"95c48","widget_title":"Wonder moment"},"originalrequest":{"value":{"description":"<p>\u041f\u0440\u043e\u0443\u0447\u0432\u0430\u043d\u0435</p>","question_id":42954}},"starttime":"2015-03-26 17:28:57 +0100","endtime":"2015-03-26 17:28:57 +0100"}';
$q= $db->prepare('INSERT INTO stepup (target, body) VALUES (?, ?)');
$q->bindParam(1, $url, PDO::PARAM_STR);
$q->bindParam(2, $json, PDO::PARAM_STR);
$q->execute();