mysqli_real_escape_string似乎不起作用
[英]mysqli_real_escape_string doesn't seem to be working
问题描述
I am a novice in PHP. 
我是PHP的新手。 I am trying to insert a variable's value into a MariaDB table and was trying to use mysqli_real_escape_string to escape '$value'. 我正在尝试将变量的值插入MariaDB表中,并试图使用mysqli_real_escape_string来转义'$ value'。 I got the idea from here . 我从这里得到了这个主意。 It inserted an empty string to the table(I did add a connection link to the database). 它在表中插入了一个空字符串(我确实向数据库添加了一个连接链接)。
So, I copied and pasted the following code from PHP Manual , it still didn't work. 因此,我从PHP Manual复制并粘贴了以下代码,但仍然无法正常工作。 The output I got was an error code alone: Error: 42000. What am I missing? 我得到的输出只是一个错误代码:错误:42000。我缺少什么?
I am using a Virtualbox, OS: CentOS7 我正在使用Virtualbox,操作系统:CentOS7
<?php
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
mysqli_query($link, "CREATE TEMPORARY TABLE myCity LIKE City");
$city = "'s Hertogenbosch";
/* this query will fail, cause we didn't escape $city */
if (!mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("Error: %s\n", mysqli_sqlstate($link));
}
$city = mysqli_real_escape_string($link, $city);
/* this query with escaped $city will work */
if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("%d Row inserted.\n", mysqli_affected_rows($link));
}
mysqli_close($link);
?>
Update: Thank you for your prompt response! 更新:感谢您的及时答复! I tried @Pilan's code but I was not able to insert a row. 我尝试了@Pilan的代码,但无法插入行。 I created a table in the database called 'City'. 我在数据库中创建了一个名为“城市”的表。 I checked whether there was a database connection in the code and it did return "Connected". 我检查了代码中是否存在数据库连接,并且确实返回了“已连接”。 Here is the updated code: 这是更新的代码:
<?php
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
else {
echo "Connected";
$city = "'s Hertogenbosch";
// Connect to db, returns mysqli-connection
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
// Prepare, "?" for placeholders, returns mysqli-statement
$stmt = $mysqli->prepare("INSERT INTO City (Name) VALUES (?)");
// Bin param to statement, with type "s" for string
$stmt->bind_param("s", $city);
//Execute
/* this query with escaped $city will work */
if ($stmt->execute()) {
printf("%d Row inserted.\n", mysqli_affected_rows($link));
}
}
mysqli_close($link);
?>
Update : Thanks guys, The code worked, It did insert into the table but 'Row inserted' didn't show up: turns out, I forgot to take out the semicolon from 'execute()' inside if conditional statement. 更新 :谢谢大家,代码起作用了,它确实插入了表中,但没有显示“行插入”:结果, 如果有条件语句,我忘了从'execute()'中取出分号。
1 个解决方案
解决方案1
6 已采纳 2018-06-29 22:00:24
Here you got an example of a prepared statement : 在这里,您有一个准备好的语句的示例:
$city = "'s Hertogenbosch";
// Connect to db, returns mysqli-connection
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
// Prepare, "?" for placeholders, returns mysqli-statement
$stmt = $mysqli->prepare("INSERT INTO myCity (Name) VALUES (?)");
// Bin param to statement, with type "s" for string
$stmt->bind_param("s", $city);
// Well execute :D
$stmt->execute();
For details have a look here: prepare , bind 有关详细信息,请在此处查看: prepare , bind
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.