PHP和MySQL表单提交
[英]PHP and MySQL form submit
问题描述
In this block of code where do I put mysqli_real_escape_string() ? 
在此代码块中,我应将mysqli_real_escape_string()放在哪里?
Or if you have a better way of writing the whole block I'm interested to hear. 或者,如果您有更好的方式编写整个模块,我很想听听。
<?php
$title = ($_POST["title"]);
$date = ($_POST["date"]);
$content = ($_POST["content"]);
$query = "INSERT INTO months (";
$query .= " title, date, content ";
$query .= ") VALUES (";
$query .= " '{$title}', '{$date}', '{$content}' ";
$query .= ")";
mysqli_query($connection, $query); ?>
2 个解决方案
解决方案1
1 已采纳 2016-07-31 09:16:58
It would be the best to use prepared statements. 最好使用准备好的语句。
$stmt = mysqli_prepare($connection, "INSERT INTO months (title, date, content)
VALUES(?, ?, ?)");
mysqli_stmt_bind_param($stmt, "sss", $title, $date, $content);
$title = $_POST["title"];
$date = $_POST["date"];
$content = $_POST["content"];
mysqli_stmt_execute($stmt);
When using an escape function and string concatenation there might still be cases in which sql injection is possible. 当使用转义函数和字符串连接时,在某些情况下仍可能进行sql注入。 Prepared Statements work differently, so they are secure against sql injection. 预准备语句的工作方式不同,因此可以防止sql注入。 https://stackoverflow.com/a/60496/3595565 https://stackoverflow.com/a/60496/3595565
解决方案2
0 2016-07-31 09:12:36
Try this : 尝试这个 :
$title = mysqli_real_escape_string($_POST["title"]);
$date = mysqli_real_escape_string($_POST["date"]);
$content = mysqli_real_escape_string($_POST["content"]);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.