[英]mysqli_real_escape_string not working
I just learned I had magic_quotes_gpc on (much to my chagrin). 我刚刚得知我打开了magic_quotes_gpc(这让我非常恼火)。 I turned that off.
我把那关了。
My database connection is made prior to this query. 我的数据库连接是在此查询之前进行的。 I have the following:
我有以下内容:
$subject = mysqli_real_escape_string($link, $_POST["subject"]);
$body = mysqli_real_escape_string($link, $_POST["body"]);
$id = mysqli_real_escape_string($link, $_POST["id"]);
mysqli_query($link, "UPDATE press SET press_title = '$subject', press_release = '$body' WHERE press_id = '$id'") or die( mysqli_error($link) );
With magic quotes on, this works fine. 加上魔术引号,可以正常工作。 Once I turn it off, single quotes jam up the works (with a MySQL syntax error at the quote).
一旦我将其关闭,单引号会阻塞工作(引号中包含MySQL语法错误)。 I thought I understood the concept but I must be missing something.
我以为我理解了这个概念,但是我必须缺少一些东西。 Can someone explain what I'm doing wrong?
有人可以解释我在做什么错吗?
UPDATE UPDATE
Error spit out by MySQL: you have an error in your SQL syntax; MySQL吐出错误:SQL语法有错误; check the manual that corresponds to your MySQL server version for the right syntax to use near 's what she said' at line 1
检查与您的MySQL服务器版本相对应的手册,以在第1行的“她所说的内容”附近使用正确的语法
UPDATE #2 Here's the echo'd query: 更新#2这是回声查询:
UPDATE press SET press_title = \'That\'s what she said\', press_release = \'That\'s what she said again!\' WHERE press_id = \'513\'
Use a parametrized query: 使用参数化查询:
$stmt = mysqli_prepare($link, "UPDATE press SET press_title = ?, press_release = ? WHERE press_id = ?") or die (mysqli_error($link));
mysqli_stmt_bind_param($stmt, "ssi", $_POST['subject'], $_POST['body'], $_POST['id']);
mysqli_stmt_execute($stmt);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.