PHP PDO警告：mysql_real_escape_string（）：訪問被拒絕用戶

Question

我正在使用PHP和PDO與類文件中的預處理語句。我不斷收到錯誤：Warning：mysql_real_escape_string（）：拒絕用戶訪問。該方法被調用時。我真的不知道如何解決這個問題。

這裏是從類文件的方法：

public function insertReview() { 
    $fk_employee = $_POST['fk_employee']; 

    // Current Date returned from JQuery and formatted to add to DB. 
    $cdate = $_POST['current_date']; 
    $current_date = explode("/", $cdate); 
     $cmonth = $current_date[0]; 
     $cday = $current_date[1]; 
     $cyear = $current_date[2]; 
     $current_dateA = array($cyear, $cmonth, $cday); 
    $review_date = implode("-", $current_dateA); 

    // Review Begin Date returned from JQuery Datepicker and formatted to add to DB.    
    $bdate = $_POST['r_period_begin']; 
    $begin_date = explode("/", $bdate); 
     $bmonth = $begin_date[0]; 
     $bday = $begin_date[1]; 
     $byear = $begin_date[2]; 
     $begin_dateA = array($byear, $bmonth, $bday); 
    $r_period_begin = implode("-", $begin_dateA); 

    // Review End Date returned from JQuery Datepicker and formatted to add to DB. 
    $edate = $_POST['r_period_end']; 
    $end_date = explode("/", $edate); 
     $emonth = $end_date[0]; 
     $eday = $end_date[1]; 
     $eyear = $end_date[2]; 
     $end_dateA = array($eyear, $emonth, $eday); 
    $r_period_end = implode("-", $end_dateA); 

    // Criteria 
     $criterias = $_POST['criteria']; 
     $criteriaValue = $_POST['criteriaValue']; 
     $comments = $_POST['Comments']; 

     foreach ($criteriaValue as $key => $value){ 
      foreach($criterias as $crit){ 
       if($crit == $key){ 
        $string1 = $key; 
        foreach($comments as $comment => $comm){ 
         if($string1 == $comment){ 
          $string3 = $comm; 
         } 
        } 
       } 
      } 
      foreach ($value as $result){ 
       $string2 = $result; 
      } 

     $criteria .= mysql_real_escape_string($string1 . '|' . $string2 . '|' . $string3 . '|'); 
     } 

    $overall_rating = $_POST['overall_rating']; 
    $additional_comments = $_POST['additional_comments']; 
    $goals = $_POST['goals']; 

    $conn = parent::connect(); 
    $sql = "INSERT INTO " . TBL_EMPLOYEE_REVIEW . " (
      fk_employee, 
      review_date, 
      r_period_begin, 
      r_period_end, 
      criteria, 
      overall_rating, 
      additional_comments, 
      goals 
     ) VALUES (
      :fk_employee, 
      :review_date, 
      :r_period_begin, 
      :r_period_end, 
      :criteria, 
      :overall_rating, 
      :additional_comments, 
      :goals 
     )"; 

    try { 
    $st = $conn->prepare($sql); 
    $st->bindValue(":fk_employee", $fk_employee, PDO::PARAM_STR); 
    $st->bindValue(":review_date", $review_date, PDO::PARAM_STR); 
    $st->bindValue(":r_period_begin", $r_period_begin, PDO::PARAM_STR); 
    $st->bindValue(":r_period_end", $r_period_end, PDO::PARAM_STR); 
    $st->bindValue(":criteria", quote($criteria), PDO::PARAM_STR); 
    $st->bindValue(":overall_rating", $overall_rating, PDO::PARAM_STR); 
    $st->bindValue(":additional_comments", $additional_comments, PDO::PARAM_STR); 
    $st->bindValue(":goals", $goals, PDO::PARAM_STR); 

    $st->execute(); 
    parent::disconnect($conn); 
    } catch (PDOException $e) { 
      echo $e->getFile(); 
      echo $e->getTraceAsString(); 
      echo "The exception was created on line: " . $e->getLine(); 

    die("Query failed: " . $e->getMessage()); 
    } 
} 

Answer 1

使用PDO時，不要使用mysql_real_escape_string()。 PDO類處理轉義本身。

每次你使用bindValue()，它都是爲你做的。

替換此行：

$criteria .= mysql_real_escape_string($string1 . '|' . $string2 . '|' . $string3 . '|'); 

利用該行：

$criteria .= $string1 . '|' . $string2 . '|' . $string3 . '|'; 

Answer 2

PDO和mysql_*是兩個完全不同的擴展。 mysql_real_escape_string需要數據庫連接才能完成工作。如果您以前未使用mysql_connect建立連接，則mysql_real_escape_string將嘗試在您調用它時使用默認憑據創建新連接。這會失敗，因此會顯示錯誤消息。

正如@ Shackrock所說，如果您不使用mysql_*，請勿使用mysql_real_escape_string。使用PDO的轉義函數，更精確地說PDO的參數化查詢和綁定值。無論如何，這比手動轉義要好得多。