blocks|key|2960571|text|stripslashes()是没有意义的。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|2960572|有些人过去认为这为他们提供了安全，但正如你所看到的，没有。它应该从PHP中完全删除，但它还没有被删除。|2960573|entityMap^0|0|E|0|0^^$0|@$1|2|3|4|5|6|7|J|8|@$9|K|A|L|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|M|8|@]|D|@]|E|$]]|$1|H|3|-4|5|6|7|N|8|@]|D|@]|E|$]]]|I|$]]

There is no point to <code>stripslashes()</code>.

Some folks used to think this provided them security, but as you can see it does not. It should be removed from PHP completely, but it hasn't been.

blocks|key|2960603|text|(截至2014年)它仍然有它的用途。它不是真正用于数据库，但即使是这样，也有用例。让我们假设，或者使用JavaScript从表单发送数据，并且您有一个带有引号的字符串，如"It's“。与通过$_GET超级变量获取值相比，您将得到"It's“的值。如果您不使用mysqli_real_escape_string()或类似的(为了安全您必须使用的)，则引号将被双重编码，反斜杠将保存到DB。对于这种情况，您将使用此函数。但它并不是为了安全性，也不一定与DB一起使用。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|2960604|entityMap^0|2N|5|3L|R|0^^$0|@$1|2|3|4|5|6|7|H|8|@$9|I|A|J|B|C]|$9|K|A|L|B|C]]|D|@]|E|$]]|$1|F|3|-4|5|6|7|M|8|@]|D|@]|E|$]]]|G|$]]

(As of 2014) It still has it's uses. It's not really used with a database but even with this, there are use cases. Let's assume, or send data from form using JavaScript and you have a string with a quote such as &quot;It's&quot;. Than getting the value through the <code>$_GET</code> supervariable, you'll get the value &quot;It's&quot;. If you than use <code>mysqli_real_escape_string()</code> or similar (which you must use for security), the quote will be double encoded and the backslash will be saved to the DB. For such scenarios, you would use this function. But it is not for security and not necessarily used with a DB.

blocks|key|2960636|text|mysqli_real_escape_string和stripslashes都不会对SQL注入进行保护。使用准备好的陈述。示例代码。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|2960637|<?php
$mysqli+=+new+mysqli("localhost",+"my_user",+"my_password",+"my_database");

/*+Prepared+statement,+stage+1:+prepare+*/
$stmt+=+$mysqli->prepare("INSERT+INTO+test(id)+VALUES+(?)");
$id+=+1;
$stmt->bind_param("i",+$id);
$stmt->execute();|code-block|syntax|javascript|2960638|entityMap^0|0|P|Q|C|0|0^^$0|@$1|2|3|4|5|6|7|M|8|@$9|N|A|O|B|C]|$9|P|A|Q|B|C]]|D|@]|E|$]]|$1|F|3|G|5|H|7|R|8|@]|D|@]|E|$I|J]]|$1|K|3|-4|5|6|7|S|8|@]|D|@]|E|$]]]|L|$]]

Neither <code>mysqli_real_escape_string</code> nor <code>stripslashes</code> protect against SQL injection.
Use prepared statements.
Example Code.
<pre><code>&lt;?php
$mysqli = new mysqli(&quot;localhost&quot;, &quot;my_user&quot;, &quot;my_password&quot;, &quot;my_database&quot;);

/* Prepared statement, stage 1: prepare */
$stmt = $mysqli-&gt;prepare(&quot;INSERT INTO test(id) VALUES (?)&quot;);
$id = 1;
$stmt-&gt;bind_param(&quot;i&quot;, $id);
$stmt-&gt;execute();
</code></pre>

blocks|key|2960702|text|根据手册，stripslashes()的目的是取消引用一个引号，意思是删除引用一个字符的反斜杠。注意，PHP缺少字符数据类型，因此所有单个字符都是字符串。您可能希望仔细阅读这个示例代码，它演示了这个函数留下了包含不可打印字符的斜杠和逸出序列。Strip斜杠()的出现是为了对付PHP以前支持的特性:魔术引号造成的过多引用。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|2960703|在PHP的早期，Rasmus+Lerdorf使用的数据库需要转义单引号字符，他找到了一种避免手动添加反斜杠引号或转义字符的繁琐方法；他创建了神奇的引号。|2960704|++++...+useful+when+mSQL+or+Postgres95+support+is+enabled
++++since+...+single+quote+has+to+be+escaped+when+it+is+
++++part+of+[a]+...+query+...+

++++++++++++++++++++++++(See+php.h+in+PHP/FI+[php-2.0.1]+)|code-block|syntax|javascript|2960705|虽然魔术引号避免了开发人员不得不使用addslashes()，但此功能可能会自动引用不当。带有O'Reilly值的表单输入将显示为O\'Reilly。应用strip斜杠()解决了这个问题。虽然strip斜杠()符合其名称并去掉了反斜杠，但它不足以解决与魔术引号相关的所有问题，这一特性最终将在PHP5.3中被废弃，然后在the+5.4中被删除(请参见手册)。|style|CODE|2960706|如果仍然使用支持魔术引号的PHP版本，则可以查看引用的数据。例如，考虑来自包含url编码字符串的$_GET变量的情况，如下所示：|2960707|location.href="next_page.php?name=O%2527Riley";+//+$_GET['name']+==+O\'Riley+|2960708|如果您要应用于$_GET‘’name‘，无论是addslashes()还是mysqli_real_escape_string()，该变量的值将展开，其中包含另外两个反斜杠，如下所示：|2960709|O\\\'Riley|2960710|假设下一个变量在insert查询中使用。通常，引号的反斜杠不会存储在数据库中。但是，在这种情况下，查询将导致数据存储为：|2960711|O\'Riley|2960712|时至今日，对strip斜杠()的需求要小得多，但保留它还是好的。考虑下面的JavaScript，其中包含一个公然的错误：|2960713|location.href="http://localhost/exp/mydog.php
?content=My%2520dog%2520doesn\\\\\\\\\\\\\%2527t%2520
like%2520to%2520stay%2520indoors."|2960714|使用strip斜杠()，可以动态更正代码如下：|2960715|function+removeslashes($string)
{
++++while(+strpos(+$string,+"\\"+)+!==+FALSE+)+{
++++++$string+=+stripslashes(+$string+);
++++}
++++return+$string;
}

$text+=+htmlentities($_GET['content']);
if+(strpos($text,"\\")+!==+FALSE+)+{
++++echo+removeslashes(+$text+);
}|2960716|注意:strip斜杠()不是递归的。|2960717|entityMap|0|LINK|mutability|MUTABLE|url|http://www.php.net/stripslashes|1|https://3v4l.org/sO0XO#output|2|http://php.net/manual/en/regexp.reference.escape.php|3|http://php.net/manual/en/security.magicquotes.php^0|2|2|0|2G|4|1|38|4|2|0|0|0|1B|8|1T|9|4V|2|3|0|0|0|0|0|0|0|8|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|1O|8|@]|9|@$A|1P|B|1Q|1|1R]|$A|1S|B|1T|1|1U]|$A|1V|B|1W|1|1X]]|C|$]]|$1|D|3|E|5|6|7|1Y|8|@]|9|@]|C|$]]|$1|F|3|G|5|H|7|1Z|8|@]|9|@]|C|$I|J]]|$1|K|3|L|5|6|7|20|8|@$A|21|B|22|M|N]|$A|23|B|24|M|N]]|9|@$A|25|B|26|1|27]]|C|$]]|$1|O|3|P|5|6|7|28|8|@]|9|@]|C|$]]|$1|Q|3|R|5|H|7|29|8|@]|9|@]|C|$I|J]]|$1|S|3|T|5|6|7|2A|8|@]|9|@]|C|$]]|$1|U|3|V|5|H|7|2B|8|@]|9|@]|C|$I|J]]|$1|W|3|X|5|6|7|2C|8|@]|9|@]|C|$]]|$1|Y|3|Z|5|6|7|2D|8|@$A|2E|B|2F|M|N]]|9|@]|C|$]]|$1|10|3|11|5|6|7|2G|8|@]|9|@]|C|$]]|$1|12|3|13|5|H|7|2H|8|@]|9|@]|C|$I|J]]|$1|14|3|15|5|6|7|2I|8|@]|9|@]|C|$]]|$1|16|3|17|5|H|7|2J|8|@]|9|@]|C|$I|J]]|$1|18|3|19|5|6|7|2K|8|@]|9|@]|C|$]]|$1|1A|3|-4|5|6|7|2L|8|@]|9|@]|C|$]]]|1B|$1C|$5|1D|1E|1F|C|$1G|1H]]|1I|$5|1D|1E|1F|C|$1G|1J]]|1K|$5|1D|1E|1F|C|$1G|1L]]|1M|$5|1D|1E|1F|C|$1G|1N]]]]

Per the <a href="http://www.php.net/stripslashes" rel="nofollow noreferrer">Manual</a>, the purpose of stripslashes() is to unquote a quoted string, meaning to remove a backslash quoting a character. Note, PHP lacks a character data type, so all single characters are strings. You may wish to peruse this <a href="https://3v4l.org/sO0XO#output" rel="nofollow noreferrer">example code</a> which demonstrates that this function leaves forward slashes as well as <a href="http://php.net/manual/en/regexp.reference.escape.php" rel="nofollow noreferrer">escape sequences</a> involving non-printable characters unaltered. Stripslashes() arose to counter excessive quoting caused by a feature that PHP formerly supported: magic quotes.

In the early days of PHP when Rasmus Lerdorf worked with databases that necessitated escaping the single quote character, he found a way to avoid the tedium of manually adding a backslash to quote or escape that character; he created magic quotes:

<pre><code> ... useful when mSQL or Postgres95 support is enabled
 since ... single quote has to be escaped when it is 
 part of [a] ... query ... 

 (See php.h in PHP/FI [php-2.0.1] )
</code></pre>

While magic quotes saved developers from having to use addslashes(), this feature could automatically quote inappropriately. A form's input with a value of <code>O'Reilly</code> would display as <code>O\'Reilly</code>. Applying stripslashes() fixed that issue. Though stripslashes() lived up to its name and stripped away backslashes, it was inadequate for addressing all the problems associated with magic quotes, a feature that would ultimately be deprecated in PHP5.3 and then removed as of PHP5.4 (see <a href="http://php.net/manual/en/security.magicquotes.php" rel="nofollow noreferrer">Manual</a>).

You may view quoted data if you are still using a version of PHP that supports magic quotes. For example, consider the case of a $_GET variable that originates from a JavaScript containing a url-encoded string, as follows: 

<pre><code>location.href="next_page.php?name=O%27Riley"; // $_GET['name'] == O\'Riley 
</code></pre>

If you were to apply to $_GET['name'] either addslashes() or mysqli_real_escape_string(), this variable's value would expand, containing two more backslashes, as follows:

<pre><code>O\\\'Riley
</code></pre>

Suppose the variable were next used in an insert query. Normally the backslash of a quoted character does not get stored in the database. But, in this case, the query would cause data to be stored as:

<code>O\'Riley</code>

The need for stripslashes() is much less likely nowadays, but it's good to still retain it. Consider the following JavaScript, containing a flagrant typo:

<pre><code>location.href="http://localhost/exp/mydog.php
?content=My%20dog%20doesn\\\\\\\\\\\\\%27t%20
like%20to%20stay%20indoors."
</code></pre>

Using stripslashes(), one may dynamically correct the code as follows:

<pre><code>function removeslashes($string)
{
 while( strpos( $string, "\\" ) !== FALSE ) {
 $string = stripslashes( $string );
 }
 return $string;
}

$text = htmlentities($_GET['content']);
if (strpos($text,"\\") !== FALSE ) {
 echo removeslashes( $text );
}
</code></pre>

Note: stripslashes() is not recursive.

blocks|key|2960842|text|加法斜杠()|type|unstyled|depth|inlineStyleRanges|offset|length|style|BOLD|entityRanges|data|2960843|函数返回一个在预定义字符前面带有反斜杠的字符串。|2960844|php.net+-带有斜杠的引用字符串|2960845|stripslashes()|2960846|w3schools.com+-函数移除由addslashes()函数添加的反斜杠。|2960847|php.net+-取消引用一个引用的字符串|2960848|<?php
+
++$str+=+"Who's+Peter+Griffin?";
+
++echo+$str+.+"+This+is+original+string."+.+PHP_EOL;
+
++echo+addslashes($str)+.+"+This+is+addslashes+string."+.+PHP_EOL;
+
++echo+stripslashes(addslashes($str))+.+"+This+is+stripslashes+string."++.+PHP_EOL;
+
?>|code-block|syntax|javascript|2960849|嵌入PHP在线：|2960850|​|2960851|body,+html,+iframe+{+
++width:+100%25+;
++height:+100%25+;
++overflow:+hidden+;
}|2960852|<iframe+src="https://ideone.com/2DNzNJ"></iframe>|2960853|2960854|entityMap|0|LINK|mutability|MUTABLE|url|https://www.w3schools.com/php/func_string_addslashes.asp|1|http://php.net/manual/en/function.addslashes.php|2|3|http://php.net/manual/en/function.stripslashes.php^0|0|6|0|0|O|0|0|0|J|1|0|0|E|0|0|15|2|0|0|L|3|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|1G|8|@$9|1H|A|1I|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|1J|8|@]|D|@$9|1K|A|1L|1|1M]]|E|$]]|$1|H|3|I|5|6|7|1N|8|@]|D|@$9|1O|A|1P|1|1Q]]|E|$]]|$1|J|3|K|5|6|7|1R|8|@$9|1S|A|1T|B|C]]|D|@]|E|$]]|$1|L|3|M|5|6|7|1U|8|@]|D|@$9|1V|A|1W|1|1X]]|E|$]]|$1|N|3|O|5|6|7|1Y|8|@]|D|@$9|1Z|A|20|1|21]]|E|$]]|$1|P|3|Q|5|R|7|22|8|@]|D|@]|E|$S|T]]|$1|U|3|V|5|6|7|23|8|@]|D|@]|E|$]]|$1|W|3|X|5|6|7|24|8|@]|D|@]|E|$]]|$1|Y|3|Z|5|R|7|25|8|@]|D|@]|E|$S|T]]|$1|10|3|11|5|R|7|26|8|@]|D|@]|E|$S|T]]|$1|12|3|X|5|6|7|27|8|@]|D|@]|E|$]]|$1|13|3|-4|5|6|7|28|8|@]|D|@]|E|$]]]|14|$15|$5|16|17|18|E|$19|1A]]|1B|$5|16|17|18|E|$19|1C]]|1D|$5|16|17|18|E|$19|1A]]|1E|$5|16|17|18|E|$19|1F]]]]

addslashes():
<a href="https://www.w3schools.com/php/func_string_addslashes.asp" rel="nofollow noreferrer">w3schools.com - function returns a string with backslashes in front of predefined characters.</a> 
<a href="http://php.net/manual/en/function.addslashes.php" rel="nofollow noreferrer">php.net - Quote string with slashes</a>
stripslashes():
<a href="https://www.w3schools.com/php/func_string_addslashes.asp" rel="nofollow noreferrer">w3schools.com - function removes backslashes added by the addslashes() function.</a> 
<a href="http://php.net/manual/en/function.stripslashes.php" rel="nofollow noreferrer">php.net - Un-quotes a quoted string</a>
<pre><code>&lt;?php
 
 $str = &quot;Who's Peter Griffin?&quot;;
 
 echo $str . &quot; This is original string.&quot; . PHP_EOL;
 
 echo addslashes($str) . &quot; This is addslashes string.&quot; . PHP_EOL;
 
 echo stripslashes(addslashes($str)) . &quot; This is stripslashes string.&quot; . PHP_EOL;
 
?&gt;
</code></pre>
Embed PHP online:
<div class="snippet" data-lang="js" data-hide="false" data-console="true" data-babel="false">
<div class="snippet-code">
<pre class="snippet-code-css lang-css prettyprint-override"><code>body, html, iframe { 
 width: 100% ;
 height: 100% ;
 overflow: hidden ;
}</code></pre>
<pre class="snippet-code-html lang-html prettyprint-override"><code>&lt;iframe src="https://ideone.com/2DNzNJ"&gt;&lt;/iframe&gt;</code></pre>
</div>
</div>

Suppose you have the following:

<pre><code>&lt;?php

 $connection = mysqli_connect("host", "root", "passwd", "dbname");

 $habits = mysqli_real_escape_string($connection, $_POST['habits']);

?&gt;
</code></pre>

Lets say you entered, for a field called 'habits', the value 'tug o' war'. Therefore, the mysqli_real_escape_string function will escape the second quote symbol and the database engine won't be fooled into thinking that the value is 'tug o'. Instead, it will know that the value is actually 'tug o' war'. My question is, why then do you need a stripslashes function? A stripslashes function will simply strip away the good work that was done by the mysqli_real_escape_string function. Stripping away a backslash will simply return you to where you were, and the database will be fooled again. Am I to assume that the stripslashes function is NOT used for database purposes? That is, would this piece of code be completely nonsensical?:

<pre><code>&lt;?php

 $connection = mysqli_connect("host", "root", "passwd", "dbname");

 $habits = mysqli_real_escape_string($connection, $_POST['habits']);

 $undosomething = stripslashes($habits);

 echo '$undosomething';

?&gt;
</code></pre>

If stripslashes is NOT used for database purposes, what exactly is it used for?

What is the point of PHP's stripslashes function?

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

假设您有以下内容：<?php $connection = mysqli_connect("host", "root", "passwd", "dbname"); $habits = mysqli_real_escape_string($connection, $_POST['habits']);?>假设你进...

问PHP的条形斜杠函数有什么意义？
EN

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问PHP的条形斜杠函数有什么意义？EN

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问PHP的条形斜杠函数有什么意义？
EN