[英]mysqli_real_escape_string Catchable fatal error error
i want to insert in db and use this code 我想插入数据库并使用此代码
$con=mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
$sql = "select * from `mobiles` where `user_id`='$_SESSION[userid]' AND `id`='mysqli_real_escape_string($con,$_POST[con_id])' AND `activecode`='mysqli_real_escape_string($con,$_POST[regcode])' ";
but when i execute an error shown: 但是当我执行显示的错误时:
Catchable fatal error: Object of class mysqli could not be converted to string in /home/mobileab/public_html/index.php on line 116
why how can i use this in my code for sql injection? 为什么我如何在我的代码中使用此代码进行sql注入? thank you so
谢谢你这么
You are not concatenating correctly, functions are not executed in a string: 您未正确连接,函数未在字符串中执行:
$sql = "select * from `mobiles` where `user_id`='$_SESSION[userid]'
AND `id`='" . mysqli_real_escape_string($con,$_POST['con_id']) . "'
AND `activecode`='" . mysqli_real_escape_string($con,$_POST['regcode']) . "'";
But I would recommend using a prepared statement instead. 但我建议改用准备好的语句。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.