当你在数据库中看到成功插入的数据时,如果用<密码>mysql_real_einski_string(),请在上不要查询数据库中的斜坡。 这是因为在Kall问询表中只需要 escaping击。 mysql_real_einski_string(> sanitizes it for内插入(或更新,或其他查询投入),但在数据储存时确实导致数据的长期修改。

In general, you do not want to store modified or sanitized data in your database, but instead should be storing the data in its original version. For example, it is best practice to store complete HTML strings, rather than to store HTML that has been encoded with PHP s htmlspecialchars().

When you retrieve it back out from the database, there is no need for stripslashes() or other similar unescaping. There are some legacy (mis-)features of PHP like magic_quotes_gpc that had been designed to protect programmers from themselves by automatically adding backslashes to quoted strings, requiring `stripslashes() to be used on output, but those features have been deprecated and now mostly removed.

MySQL stores the data without the slashes (although it is passed to the RDBMS with the slashes). So you don t need to use stripslashes() later on.

你们可以肯定,由于其他原因,扼杀会失败。

I m 设法清理我的网站用户输入的所有文本(和大多数其他数据)

这就是你正在做的错误。

1. mysqli_real_escape_string does not "cleanse" anything. There is no word "cleanse" in it s name.
2. You should format, not "cleanse" your data. And different data require different formatting.
3. You should format ALL the data, not only data entered by the user of my website

以目前的形式,你将网站置于非常易受攻击和错误的境地。

I was under the impression that the function inserted backslashes ( ) before all characters capable of being malicious ( , , " , etc ),

To let you know, there is nothing malicious in any character. There are some service characters, that can be misinterpreted in some circumstances.
But adding backslashes doesn t make your data automatically "safe". Some injections doesn t require any special characters. So, you need to properly format your data, not just use a some sort of magic that will make you magically safe