堆栈内存溢出
  简体   繁体   English

将mysql_ *转换为mysqli_ *问题

[英]Converting mysql_* to mysqli_* issue

 原文  2013-09-24 16:58:11       php/ mysqli

问题描述

I am using MySQLConverterTool to convert my web application, 我正在使用MySQLConverterTool转换我的Web应用程序,

first issue i faced is code getting to big i dont even understand what that means? 我面临的第一个问题是代码变得越来越大,我什至不明白那意味着什么? It was very small code before and now i see this is too big. 以前这是非常小的代码,现在我看到这太大了。 

//old code
$ask_id = mysql_real_escape_string($_POST['ask_id']);

//after convert
$ask_id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $_POST['ask_id']) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

Its working fine but i want to know if its correct way of mysqli_* or is there some issue or bug i need to fix in line? 它的工作正常,但我想知道它是mysqli_*正确方法还是需要在线解决一些问题或错误?

I also want to know how i can make this part secure 我也想知道如何使这部分安全 

if (isset($_POST['asking-money'])) {
    $dailyBonus = 10000;
    $update = mysqli_query($GLOBALS["___mysqli_ston"], "UPDATE users SET ask_time='$newtime', bonus='dailyBonus'  WHERE id='$userid'");
// some more calculation
}

3 个解决方案

解决方案1
 2 已采纳  2013-09-24 17:02:05

The first bit of code looks like it (grossly) added a giant ternary statement to check that the variables you were using were at least set, but other than that you should just be able to use: 代码的第一位(粗略地)看起来像添加了一条巨大的三元语句,以检查所使用的变量是否至少已设置,但除此之外,您应该只能使用: 

mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $_POST['ask_id'])

As for security with the SQL query, try using Prepared Statements instead of directly querying with variables 为了确保SQL查询的安全性,请尝试使用预处理语句,而不要直接使用变量查询

mysqli_prepare mysqli_prepare

解决方案2
 2  2013-09-24 17:03:48

for the mysqli_* part, most of the things that used to be done with mysql_* remained almost the same with a new prefix, so, most likely there is no problem and for the how to make it secure, just evaluate and prepare all the parameters being passed from the user before using them in the query, in other words, NEVER under any case, use the user input directly in a query. 对于mysqli_ *部分,以前用mysql_ *完成的大多数事情都与新前缀几乎相同,因此,很可能没有问题,并且如何确保它的安全,只需评估并准备所有内容即可。在查询中使用用户之前传递给用户的参数,换句话说,在任何情况下都从不直接在查询中使用用户输入。 other than that the code seems very fine to me. 除此之外,代码对我来说似乎还不错。

解决方案3
 0  2013-09-24 17:06:37

The first code is a ternary statement (short way for if/else). 第一个代码是一个三元语句 (if / else的简称)。 Way too much, my opinion. 我认为这太多了。

I recommend PDO and it's prepared statements , if you're able to use it. 如果可以使用PDO ,则建议使用PDO及其准备好的语句 It's very secure and easy to handle. 它非常安全且易于处理。

By the way: try to avoid the MySQLConverterTool . 顺便说一句:尽量避免使用MySQLConverterTool It's hard to get into this code after months. 数月后很难进入此代码。 K eep i t s mart and s imple! ķEEP I T 小号集市和S imple! :-) :-)

Good luck! 祝好运!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 mysqli_ *或mysql_ *性能? - mysqli_* or mysql_* performance? mysql_到mysqli_转换问题 - mysql_ to mysqli_ Conversion Problems PHP从mysql_ *迁移到mysqli_ - PHP Migrating from mysql_* to mysqli_ 如何从mysql_ *升级到mysqli_ *? - How to upgrade from mysql_* to mysqli_*? 通过mysql_连接使用mysqli_函数吗? - Using mysqli_ functions with mysql_ connection? 我可以盲目地用 mysqli_ 替换所有 mysql_ 函数吗? - Can I blindly replace all mysql_ functions with mysqli_? 查找/替换mysql_到mysqli_使代码无效 - Find/replace mysql_ to mysqli_ makes code nonfunctional 将旧的mysql_代码转换为mysqli_查询 - Convert an old mysql_ code into mysqli_ queries PHP / mysql:是否正在将(SELECT,{resource})更改为({resource},SELECT),将mysql_ *转换为mysqli_ *的可行临时补丁? - PHP/mysql: Is changing (SELECT, {resource}) to ({resource}, SELECT) a viable temporary patch for mysql_* to mysqli_*? PHP mysql_ *转换为mysqli致命错误 - PHP mysql_* converting to mysqli fatal error
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM