手动更新数据库,但不通过php
[英]Manually updating the database but not via php
问题描述
Can someone point why the below code is not working? 
有人可以指出为什么下面的代码不起作用吗?
$insert="insert into $table (id,date,updatedtime,09to10,09to10comments)".
" values ($id,curdate(),curtime(),'test','test1')";
print "query is<br> $insert<br>";
$escaped_insert=mysqli_real_escape_string($connect,$insert);
$check_query=mysqli_query($connect,$escaped_insert);
if(!$check_query)
{
print "unable to update the database";
}
else
{
print "successfully updated the database";
}
it is showing the below error output in webpage 它在网页中显示以下错误输出
query is
insert into tasks (id,date,updatedtime,09to10,09to10comments) values (408112,curdate(),curtime(),'test','test1')
unable to update the database
but manually it works when i execute same query in mysql. 但是当我在mysql中执行相同的查询时,它可以手动工作。
mysql> insert into tasks (id,date,updatedtime,09to10,09to10comments) values (408
112,curdate(),curtime(),'test','test1');
Query OK, 1 row affected, 46 warnings (0.05 sec)
1 个解决方案
解决方案1
3 2014-03-15 15:50:08
Why doesn't it work? 为什么不起作用?
You're using mysqli_real_escape_string() incorrectly. 您使用的mysqli_real_escape_string()错误。 It escapes a single string , not the whole query. 它转义单个字符串 ,而不是整个查询。 If you've got multiple user input variables, you need to escape them individually. 如果您有多个用户输入变量,则需要分别对其进行转义。 Escaping the whole SQL query will not work. 逃离整个SQL查询将行不通 。
The goal of escaping is to prevent characters with special meaning from having that special meaning. 转义的目的是防止具有特殊含义的字符具有该特殊含义。 Since you are escaping the whole SQL query containing all your quoted values, you are also escaping the quotes and stopping them from correctly quoting the values. 由于要转义包含所有带引号的值的整个SQL查询,因此也要转义引号并阻止它们正确地对值进行引号。
This is how you should use it: 这是您应该如何使用它:
// Escape ALL the input prior to executing the query
$id = mysqli_real_escape_string($connect, $id);
// The query
$insert = "INSERT INTO $table (ID,`date`,UPDATEDTIME,09TO10,09TO10COMMENTS)
VALUES ($id,CURDATE(),CURTIME(),'test','test1')";
// Execute the query
$check_query = mysqli_query($connect, $insert);
Better way: Prepared Statements 更好的方法:准备好的报表
You can manually escape all the user input yourselves. 您可以手动转义所有用户输入的内容。 That'd work, sure. 当然可以。 But with prepared statements , you don't have to worry about escaping at all . 但随着预处理语句 ,你不必对所有逃避烦恼。 The bound variables are sent separately, so there's no chance of SQL injection (provided you use it correctly). 绑定变量是单独发送的,因此没有SQL注入的机会(前提是您正确使用了它)。 It won't forget to escape the user input, or miss out on any special characters which could be used to inject some malicious SQL. 它不会忘记逃避用户输入,或者错过任何可能用于注入恶意SQL的特殊字符。
Here's how you'd do it with prepared statements: 使用准备好的语句的方法如下:
/* Create a new mysqli object with database connection params */
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
// The query
$insert = "INSERT INTO $table (ID,`date`,UPDATEDTIME,09TO10,09TO10COMMENTS)
VALUES (?,CURDATE(),CURTIME(),'test','test1')";
if ($stmt = $mysqli->prepare($insert)) {
/* Bind parameters: s - string, i - int, etc */
$stmt->bind_param('i', $id);
/* Execute it */
if ($stmt->execute()) {
// Execution successful
// Do whatever you want
}
/* Close statement */
$stmt -> close();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.