函数中的mysqli_real_escape_string,不起作用?
[英]mysqli_real_escape_string in function, not working?
问题描述
I made a function exactley after how our teacher made in an online lecture. 
我按照老师在网上讲课的方式制作了函数。 But its not working, the error message said first that there vas a varible missing. 但是它不起作用,该错误消息首先说存在一个变量缺失。 So i checked it up and on w3schools they say that you need the connection as varibale and the string. 所以我检查了一下,在w3schools上,他们说您需要连接为varibale和字符串。 So I added the connection, but then i got an error that said that the varible vas undefined. 所以我添加了连接,但是随后出现一个错误,指出未定义的vas。 I tried putting the function in different places in the php-document but i dont know how to work this one out, plz help? 我试着将函数放在php文档的不同位置,但是我不知道如何解决这个问题,请帮助?
My code (i deleted my passwords): 我的代码(我删除了密码):
<?php
// A function to help prevent SQL Injection.
function preparePostData($value)
{
// Removes slashes (/) if the server automaticlly adds them.
if(get_magic_quotes_gpc()){
$value = stripslashes($value);
}
/* Adds quote marks if the value is not numeric or a numeric string.
mysqli_real_escape_string adds slashes (/) if there is any character thats not allowed
and then the text string will not be processed in MySQL. */
if(!is_numeric($value)){
$value = "'" . mysqli_real_escape_string($dbConn, $value) . "'";
}
return $value;
}
// If the submit button is set do this..
if(isset($_POST['saveNews'])){
// Connection to db
$dbConn = mysqli_connect("localhost","sabe0011","password","sabe0011");
// Check connection
if(mysqli_connect_errno($dbConn)){
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// SQL question
$insertSQL = "INSERT INTO News (NewsId, Headline, News, Date) VALUES ('NULL',".preparePostData($_POST['newsHeader']).",".preparePostData($_POST['news']).",".preparePostData($_POST['newsDate']).");";
if(mysqli_query($dbConn, $insertSQL)){
echo "Nyheter har sparats";
}
else{
echo "Följande fel uppstod " . mysqli_error() . ".";
}
}
// Connection to db
$dbConn = mysqli_connect("localhost","sabe0011","password","sabe0011");
$dbConn->set_charset("utf8");
// Check connection
if(mysqli_connect_errno($dbConn)){
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$newsSQL = mysqli_query($dbConn,"SELECT * FROM News ORDER BY Date;");
echo "<div>";
if(mysqli_num_rows($newsSQL) > 0)
{
while($rowNews = mysqli_fetch_array($newsSQL)){
echo '<h2>' . $rowNews["Headline"] . '</h2>' . '<time>' . $rowNews["Date"] . '</time>' . '<p>' . $rowNews["News"] . '</p>';
}
}
else{
echo "Inga nyheter hittades";
}
echo "</div>";
?>
2 个解决方案
解决方案1
0 已采纳 2013-05-11 17:20:01
If you connect at the top of your script you'll need to somehow pass it your function. 如果您在脚本的顶部进行连接,则需要以某种方式将其传递给您的函数。 You have two options. 您有两个选择。 Either make it a parameter in you function. 在您的函数中将其设为参数。 function reparePostData($value,$dbconn); Or you can declare your connection a global variable inside the function, and allow the function to access this variable inside the function global $dbconn; 或者,您可以在函数内部将连接声明为全局变量,并允许函数在global $dbconn;函数内部访问此变量global $dbconn; . 。
解决方案2
-2 2013-05-11 17:16:31
You are using this function wrong way. 您使用此功能的方式错误。
mysqli_real_escape_string has nothing to do with POST data . mysqli_real_escape_string 与POST数据无关 。 Only magic quotes do. 只有魔术引号可以。
So, you have to split this function into two: 因此,您必须将此函数分为两个部分:
- One which cleans your POST data from magic quotes . 一种可以从魔术引号中清除POST数据 。
One which produces a correct string literal
一个产生正确的字符串文字的 function prepareSQLliteral($value) { if(!is_numeric($value)){ global $dbConn; $value = "'" . mysqli_real_escape_string($dbConn, $value) . "'"; } return $value; }
However, using manual formatting is not the way to go. 但是,使用手动格式不是可行的方法。
the same processing have to be done not on the global variable but on the very value that is going into query. 不必对全局变量执行相同的处理,而要对要查询的值进行相同的处理。 And only prepared statements can do that. 而且只有准备好的语句才能做到这一点。
But because mysqli prepared statements are quite unusable, you have to use PDO instead. 但是由于mysqli准备好的语句非常不可用,因此必须使用PDO 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.