堆栈内存溢出
  简体   繁体   English

将 mysqli_real_escape_string 与准备好的语句一起使用

[英]use mysqli_real_escape_string with prepared statement

 原文  2015-03-05 04:23:59       php/ mysqli

问题描述

I'm working on a PHP project with mysqli and need to retrieve the info from the user via $_POST , my problem is that I want to use prepared statements and mysqli->real_escape_string like this:我正在使用 mysqli 开发一个 PHP 项目,需要通过$_POST从用户那里检索信息,我的问题是我想像这样使用准备好的语句和mysqli->real_escape_string

//$mysqli is the link to my database
if( isset($_POST['ID_name']) && isset($_POST['Nombre_name']) )
        {
//just in case magic_quotes_gpc is on
            $id = trim(htmlentities(mysqli_real_escape_string(stripslashes($mysqli,$_POST['ID_name']))));
            $nombre = trim(htmlentities(mysqli_real_escape_string(stripslashes($mysqli,$_POST['Nombre_name'])));  

//... more code validation but not reffered to my question...

$query="insert into empleado_php values(?,?)";

if(!($consulta=$mysqli->stmt_init())){
    echo"Error al crear la sentencia ingresar.php";
    exit();
    }
if(!($consulta->prepare($query))){
    echo"Error al prepara la consulta ingresar.php";
    exit();
    }
if(!($consulta->bind_param("ss", $id, $nombre))){
    echo"Error anexando parametros ingresar.php";
    exit();
}
if(!($consulta->execute())){
    echo "Error al ejecutar la consulta";
    echo"<br>";
    echo "Error ".$consulta->error. "con codigo  " .$consulta->errno;
    exit();
}
else{
    echo "Datos ingresados exitosamente !!!";
}
$consulta->close();
$mysqli->close();
?>

My question is: do I need to use mysqli_real_scape_string when using prepared statement?我的问题是:使用准备好的语句时是否需要使用mysqli_real_scape_string if yes, my code is good?如果是,我的代码很好吗? could you give a better sample?你能给一个更好的样本吗?

1 个解决方案

解决方案1
 1  2015-03-05 04:27:07

From http://php.net/manual/en/mysqli.quickstart.prepared-statements.php来自http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

Escaping and SQL injection Bound variables are sent to the server separately from the query and thus cannot interfere with it.转义和 SQL 注入绑定变量与查询分开发送到服务器,因此不会干扰它。 The server uses these values directly at the point of execution, after the statement template is parsed.在解析语句模板之后,服务器在执行点直接使用这些值。 Bound parameters do not need to be escaped as they are never substituted into the query string directly.绑定参数不需要转义,因为它们永远不会直接替换到查询字符串中。 A hint must be provided to the server for the type of bound variable, to create an appropriate conversion.必须向服务器提供绑定变量类型的提示,以创建适当的转换。 See the mysqli_stmt_bind_param() function for more information.有关更多信息,请参阅 mysqli_stmt_bind_param() 函数。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 mysqli_real_escape_string AND准备好的语句? - mysqli_real_escape_string AND prepared statements? mysqli预处理语句和mysqli_real_escape_string - mysqli prepared statements and mysqli_real_escape_string 如何使用mysqli_real_escape_string()? - How to use mysqli_real_escape_string()? mysqli_real_escape_string mysqli链接? - mysqli_real_escape_string mysqli link? mySQLI-mysqli_real_escape_string问题 - mySQLI - problem with mysqli_real_escape_string 正确使用mysqli_real_escape_string进行插入,选择和更新语句-PHP / Oracle - Correct use of mysqli_real_escape_string for insert,select and update statement - PHP/Oracle 将foreach和mysqli_real_escape_string用于许多帖子值 - Use foreach and mysqli_real_escape_string for many post value 如何在查询中正确使用mysqli_real_escape_string()函数 - how to correctly use mysqli_real_escape_string() Function in a query PHP和MySQL-使用mysqli_real_escape_string的正确方法 - PHP and MySQL - correct way to use mysqli_real_escape_string mysqli_real_escape_string使用哪种引号? - What kinds of quotes to use with mysqli_real_escape_string?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM