堆栈内存溢出
  简体   繁体   English

如何在查询中正确使用mysqli_real_escape_string()函数

[英]how to correctly use mysqli_real_escape_string() Function in a query

 原文  2016-04-21 15:20:23       php

问题描述

I am trying to use the mysqli_real_escape_string() Function in a query. 我正在尝试在查询中使用mysqli_real_escape_string()函数。

This is my current code: 这是我当前的代码: 

 $Product_Id = substr($prod_name, 14, (strlen($prod_name)-14));
 $get_query = "SELECT P FROM Product WHERE Product_Id =' .mysql_real_escape_string((int)$Product_Id))";

This does not work, it creates the following error: 这不起作用,它会产生以下错误:

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in 警告:mysqli_fetch_array()期望参数1为mysqli_result,布尔值在

But if i remove the mysqli_real_escape_string function my code works. 但是,如果我删除mysqli_real_escape_string函数,我的代码将起作用。

So what is the best way to do this, as i am trying to stop sql injection. 那么什么是最好的方法做到这一点,因为我试图停止SQL注入。

1 个解决方案

解决方案1
 1  2016-04-21 15:28:39

I am trying to use the mysqli_real_escape_string() Function in a query. 我正在尝试在查询中使用mysqli_real_escape_string()函数。

But you're actually not. 但是你实际上不是。 In your query you're using mysql_real_escape_string() . 在查询中,您正在使用mysql_real_escape_string()

Plus that query is malformed, so it wouldn't work anyway. 此外,该查询格式不正确,因此无论如何都无法正常工作。 Your quotes are in the wrong places. 您的报价写错了地方。 Try the following: 请尝试以下操作: 

$get_query = "SELECT P FROM Product WHERE Product_Id = " . (int) mysqli_real_escape_string($Product_Id);

Since $Product_Id is being cast to an integer , you won't need to wrap it in quotes within the query (assuming Product_Id column is integer-based; since you're casting it to an integer, I'm assuming it is). 由于$Product_Id$Product_Id转换为integer ,因此您无需将其用查询中的引号引起来(假设Product_Id列基于整数;因为您将其强制转换为整数,所以我假设是)。

And moving the type cast (int) from the argument within mysqli_real_escape_string() to actually preceding the function is what you're looking for. 您正在寻找将类型转换(int)mysqli_real_escape_string()的参数mysqli_real_escape_string()该函数的实际位置。 Although it's not necessary to cast $Product_Id at this time as it is redundant and could actually pose more problems than it'd solve in some circumstances (Ie. assume $Product_Id was somehow set to a string [ $Product_Id = 'Marcus' ], and you then cast it to an integer: (int) $Product_Id it'd return 0 , but no error). 尽管此时不必$Product_Id转换$Product_Id ,因为它是多余的,并且在某些情况下实际上可能带来比其要解决的问题更多的问题(即,假设$Product_Id以某种方式设置为字符串[ $Product_Id = 'Marcus' ],然后将其转换为整数: (int) $Product_Id它将返回0 ,但没有错误)。 A negative integer would also slip through which I'm assuming you don't have negative $Product_Id 's, right? 假设您没有负数$Product_Id ,那么负整数也会$Product_Id ,对吧? There are much better ways to detect, and handle, variable types prior to sending them to a query. 在将变量类型发送到查询之前,有更好的方法来检测和处理变量类型。 But we can get into that another time. 但是我们可以再讨论一次。

In your query you had an erroneous single-quote ( WHERE Product_Id =' ) which was causing a parsing error. 在您的查询中,您使用了错误的单引号( WHERE Product_Id =' ),这导致了解析错误。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用mysqli_real_escape_string()? - How to use mysqli_real_escape_string()? mysqli_real_escape_string无法正常工作 - mysqli_real_escape_string not working correctly 函数中的mysqli_real_escape_string,不起作用? - mysqli_real_escape_string in function, not working? 如何在$ _GET ['page']中使用mysqli_real_escape_string - how to use mysqli_real_escape_string for $_GET['page'] 如何正确使用mysqli_real_escape_string - How to properly use mysqli_real_escape_string mysqli查询问题。 mysqli_real_escape_string错误 - mysqli query issue. mysqli_real_escape_string error 我是否正确使用了 mysqli_real_escape_string? - Am I using mysqli_real_escape_string correctly? mysqli_real_escape_string mysqli链接? - mysqli_real_escape_string mysqli link? mySQLI-mysqli_real_escape_string问题 - mySQLI - problem with mysqli_real_escape_string 如何在PHP中使用mysqli_real_escape_string()转义除换行符以外的所有字符? - How to use mysqli_real_escape_string() in PHP to escape all characters except newline?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM