试图解决mysqli_real_escape_string
[英]Trying to make a work around for the mysqli_real_escape_string
问题描述
So currently I have my code in procedural format so inorder to prevent myself from adding the "link" in the mysqli_real_escape_string function I've made a method that looks like this: 
因此,目前我以程序格式编写了代码,以便防止自己在mysqli_real_escape_string函数中添加“链接”,因此我制作了一种如下所示的方法:
// Used to create a legal SQL string that you can use in an SQL statement in place of mysqli_real_escape_string
public function escape_string($string) {
$newstring = mysqli_real_escape_string($this->dbconn, $string);
return $newstring;
}
When I use this though I don't get any results though let me know if you have any recommendations. 当我使用此功能时,虽然没有任何结果,但请告诉我您是否有任何建议。
Here are some examples where I use the function: 以下是使用函数的一些示例:
function email_exists($email,$dblayer){
$sql = "SELECT `id` FROM `users` WHERE `email` = '" . $dblayer->escape_string($email) . "'";
$results = $dblayer->select_query($sql);
if($results){
return true;
}else{
return false;
}
And this: 和这个:
public function pass_reset($email){
$newpass = substr(md5(mt_rand(1,99999)),0,8);
$newpasshash = md5($newpass . '************');
$sql = "UPDATE `admin_users` SET `password` = '" . $newpasshash . "' WHERE `username` = '" . $this->dblayer->escape_string($email) . "'";
$this->dblayer->modify_query($sql);
return $newpass;
}
And this which is created around another dblayer which is called dbobject: 这是围绕另一个称为dbobject的dblayer创建的:
case $range:
$dates = explode(',',$_GET['search-string']);
$sql = "SELECT SQL_CALC_FOUND_ROWS * FROM `user_profile` WHERE `created` BETWEEN '" . $dates[0] . "' AND '" . $dates[1] . "'";
break;
default:
$sql = "SELECT SQL_CALC_FOUND_ROWS * FROM `user_profile` WHERE `" . $_GET['search-field'] . "` LIKE '%" . $dbobject->escape_string($_GET['search-string']) . "%'";
break;
2 个解决方案
解决方案1
0 2017-06-01 21:44:12
It looks like the problem is probably two-fold. 看来问题可能是双重的。 First, I would expect that your $this->dbconn is NULL . 首先,我希望您的$this->dbconn为NULL 。 This would may mysqli_real_escape_string return NULL . 这可能会使mysqli_real_escape_string返回NULL 。 This means your SQL is probably looking for empty strings. 这意味着您的SQL可能正在寻找空字符串。
The best way to verify this is to either check if the connection is NULL or check the SQL you're running. 验证此问题的最佳方法是检查连接是否为NULL或检查正在运行的SQL。 Do you see a number of '' ? 你看到了一些'' ? Then you're concatenating against null. 然后,您将串联null。
The only way that could possibly happen, however, is if you have your error reporting suppressed. 但是,唯一可能的方式是,如果抑制了错误报告。 While you are developing you should have errors turned on. 在开发过程中,应该打开错误。 There is information on how to show errors in this question . 有关如何显示此问题中的错误的信息。
解决方案2
0 已采纳 2017-06-02 14:58:51
This is what I did differently to my original code to fix my problem. 这是我与原始代码不同的操作,以解决我的问题。 It might look a little ambiguous out of context. 从上下文来看,它可能看起来有点模棱两可。
// Used to create a legal SQL string that you can use in an SQL statement in place of mysqli_real_escape_string
public function escape_string($string) {
$newstring = '';
if ($this->dbconn) {
switch ($this->dbtype) {
case 'mysql' :
$newstring = mysqli_real_escape_string ( $this->dbconn, $string );
break;
}
}
return $newstring;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.