1. 首頁
  2. 問答
  3. PHP MySql真正的逃逸字符串不工作

PHP MySql真正的逃逸字符串不工作

2014-02-28 60 views
1

我想讀取和寫入數據庫。下面是代碼我迄今:PHP MySql真正的逃逸字符串不工作

$mysql = mysqli_connect("example.com", "johndoe", "abc123"); // replace with actual credidentials 
$username = mysqli_real_escape_string("username"); 
$sql = "CREATE DATABASE IF NOT EXISTS dbname"; 
if (!mysqli_query($mysql, $sql)) { 
    echo "Error creating database: " . mysqli_error($mysql); 
} 
if (mysqli_connect_errno()) { 
    echo "Failed to connect to MySQL: " . mysqli_connect_error(); 
} 
mysqli_close($mysql); 
$mysql = mysqli_connect("example.com", "johndoe", "abc123", "dbname"); // replace with actual credidentials 
$sql = "CREATE TABLE IF NOT EXISTS Users(ID INT NOT NULL AUTO_INCREMENT, PRIMARY KEY(ID), username CHAR(15), password CHAR(15), email CHAR(50))"; 
if (!mysqli_query($mysql, $sql)) { 
    echo "Error creating table: " . mysqli_error($mysql); 
} 
$sql = "INSERT INTO Users(username, password, email) VALUES(" . $username . ", " . $password . ", " . $email . ")"; 
if (!mysqli_query($mysql, $sql)) { 
    echo "Error: " . mysqli_error($mysql); 
} 
mysqli_close($mysql);

然而,當我嘗試運行它,它有一個錯誤:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' ,)' at line 1

有誰告訴我如何解決這一問題?

來源

2014-02-28 Oliver Ni

+1

想,但是這個程序裏有一個MySQL_real_escape_string在哪裏? – David

+1

它拼寫爲「逃生」,而不是「逃生」。 :) – cHao

+0

哎呀,對不起,這是一個錯字。 –

回答

0

重寫你的第二個SQL查詢這樣的..

$sql = "INSERT INTO Customers(`username`, `password`, `email`) VALUES ('$username','$password','$email')";

的問題是出現了不正確的轉義。

Sidenote:切換到PreparedStatements更好地防止SQL注入攻擊!

來源

2014-02-28 05:25:27

+0

使用引號並不能解決轉義...它仍然是sql injectable ... – inf3rno

+0

@ inf3rno,我同意。 Sidenote補充說。 –

1

mysqli_real_escape_string需要太多的連接參數...

$username = mysqli_real_escape_string($mysql,"username");

來源

2014-02-28 05:39:04 user1844933

0

轉義字符,使他們乾淨的數據庫, you can use below function to santizie them properly插入之前,

<?php 
function cleanInput($input) { 

    $search = array(
    '@<script[^>]*?>.*?</script>@si', // Strip out javascript 
    '@<[\/\!]*?[^<>]*?>@si',   // Strip out HTML tags 
    '@<style[^>]*?>.*?</style>@siU', // Strip style tags properly 
    '@<![\s\S]*?--[ \t\n\r]*>@'   // Strip multi-line comments 
); 

    $output = preg_replace($search, '', $input); 
    return $output; 
    } 
?>

,最終輸出時,第14頁上逃跑',用途:

htmlspecialchars($quote_str, ENT_QUOTES);htmlentities($quote_str, ENT_QUOTES);

來源

2014-02-28 05:53:40 NoobEditor

相關問題

 相關問題