[英]Why mysqli_real_escape_string() returns NULL?
I am coding a login/register page. 我正在编写登录/注册页面。 I want to protect the form from sql injections using mysqli_real_escape_string()
. 我想使用mysqli_real_escape_string()
保护表单免受sql注入。 If I use it, the function returns NULL
. 如果使用它,该函数将返回NULL
。
And I don't know why... I searched and I found that maybe I am not connected to the database, but I am since I can query it . 而且我不知道为什么...我搜索后发现,也许我没有连接到数据库,但是我可以查询它。
This is the code that I am using to connect to the database (db.php): 这是我用来连接数据库(db.php)的代码:
<?php
$con = mysqli_connect("localhost","user","pass","database");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
?>
The code that returns NULL: 返回NULL的代码:
include("includes/db.php");
function escapeInput($data) {
$data = trim($data);
$data = htmlspecialchars($data);
$data = stripslashes($data);
$data = mysqli_real_escape_string($con, $data);
return $data;
}
if (isset($_SESSION['username'])){
header("Location: home.php");
}
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
if($_POST['action'] == 'login')
{
$username = escapeInput($_POST['username']);
$password = escapeInput($_POST['password']);
var_dump($username);
$password = sha1($password, true);
$login = "SELECT COUNT(*) FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($con,$login);
$user = mysqli_fetch_array($result, MYSQLI_NUM);
if($user[0]) {
echo '<div class="alert alert-success" role="alert">Successfuly logged in.</div>';
// Store Session Data
$_SESSION['username'] = $username; // Initializing Session with value of PHP Variable
header("Location: home.php");
die();
}
else echo '<div class="alert alert-danger" role="alert">Incorrect username and/or password.</div>';
}
}
The reality is if you want to code a login page these days you shouldn't be using deprecated code. 现实情况是,如果您现在想对登录页面进行编码,则不应该使用不推荐使用的代码。 You should look in to PDO. 您应该查看PDO。 I made the jump and it sounded scary at first but it was one of the best things I ever did. 我跳了起来,一开始听起来很吓人,但这是我做过的最好的事情之一。 It's as simple as this. 就这么简单。
$Qry = $db->prepare("SELECT COUNT(username) FROM users WHERE username = :User AND password = Pass");
$Qry->execute(array(':User'=>$username, ':Pass'=>$password));
Then you can use 那你可以用
$Qry->rowCount();
You'll have to change your connection string but it's much more secure and future friendly 您必须更改连接字符串,但它更安全且将来更友好
mysqli_real_escape_string()
requires two parameters: mysqli_real_escape_string()
需要两个参数:
mysqli_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);
) 连接资源(通过调用mysqli_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);
z mysqli_real_escape_string()
always returns null
when the first parameter is null
. ž mysqli_real_escape_string()
总是返回null
当第一个参数是null
。 Therefore, make sure that you have created a connection object and that you have not yet closed it with mysqli_close()
. 因此,请确保已创建连接对象,并且尚未使用mysqli_close()
关闭它。
Try this: 尝试这个:
$data = mysqli_escape_string($con, $data);
You need to pass your connection object as first parameter. 您需要将连接对象作为第一个参数传递。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.