0
我知道這可能以前已經問過,但我試圖保護我的搜索字段和從MySQL注入下降,我有麻煩整合mysql_real_escape_string到我的PHP。我目前通過2個下拉列表中的關鍵字篩選搜索結果,或者通過用戶輸入參考的自由格式輸入篩選搜索結果。我在下面評論了我試圖添加轉義字符串的位置,但它打破了我的搜索功能。任何人都可以告訴我該怎麼做?感謝您的幫助防止MySQL注入搜索和下拉列表
<?php
// SEARCH FROM TEXT INPUT
mysql_select_db($database_connectInfo, $connectInfo);
if (isset($_POST['searchByRef']))
{
$searchword = $_POST['searchByRef'];
//ESCAPE STRING HERE
$searchword = mysql_real_escape_string($connectInfo, $searchword);
$query_dbname = "SELECT * FROM dbname WHERE `ref` LIKE '%".$searchword."%'";
}
else
// SEARCH FROM DROPDOWN MENUS
if (isset($_REQUEST['submit']))
{
$drop1 = $_POST['search1'];
$drop2 = $_POST['search2'];
//ESCAPE STRING HERE
$drop1 = mysql_real_escape_string($connectInfo, $drop1);
$drop2 = mysql_real_escape_string($connectInfo, $drop2);
$query_dbname = 'SELECT * FROM dbname WHERE 1=1' . ($drop1 ? ' AND `colour` LIKE "%' . $drop1 . '%"' : '') . ($drop2 ? ' AND `style` LIKE "%' . $drop2 . '%"' : ' ORDER BY id DESC');
}
else
{
$query_dbname = "SELECT * FROM dbname ORDER BY ref DESC";
}
$dbname = mysql_query($query_dbname, $connectInfo) or die(mysql_error());
$row_dbname = mysql_fetch_assoc($dbname);
$totalRows_all = mysql_num_rows($dbname);
?>
你看了答案,例如http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1? –