mysqli_real_escape_string不会插入到db中
[英]mysqli_real_escape_string doesn't insert into db
问题描述
I propose the following question ... I have to make sure that the following query also accept values with the quotes inside .. I tried using mysqli_real_escape_string but it did not work .. I am attaching my attempts .. 
我提出以下问题...我必须确保以下查询也接受带有引号的值..我尝试使用mysqli_real_escape_string但它不起作用..我附加了我的尝试..
1° Put the function during the post 1°在发布期间放置功能
$idCantiere = $_POST["idCantiere"];
$nomeCantiere = mysqli_real_escape_string($_POST["nomeCantiere"]);
$sql = "INSERT INTO Cantiere(
idCantiere,
nomeCantiere)
VALUES(
'$idCantiere',
'$nomeCantiere')";
if (mysqli_query($mysqli, $sql))
{
echo "<script type='text/javascript'>alert('Cantiere Inserto');
</script>";
} else
{
echo "Error: " . $sql . "" . mysqli_error($mysqli);
}
2° Put the function during the query 2°在查询期间放置功能
$idCantiere = $_POST["idCantiere"];
$nomeCantiere = $_POST["nomeCantiere"];
$sql = "INSERT INTO Cantiere(
idCantiere,
nomeCantiere)
VALUES(
'$idCantiere',
mysqli_real_escape_string('$nomeCantiere'))";
if (mysqli_query($mysqli, $sql))
{
echo "<script type='text/javascript'>alert('Cantiere Inserto');
</script>";
} else
{
echo "Error: " . $sql . "" . mysqli_error($mysqli);
}
How can I solve the problem? 我该如何解决这个问题?
5 个解决方案
解决方案1
3 2019-03-04 11:04:10
Drop the mysqli_real_escape_string() and just use prepared statements which is simple and prevents sql injections. 删除mysqli_real_escape_string()并使用简单的预处理语句并防止sql注入。
<?php
$idCantiere = isset($_POST['idCantiere']) ? $_POST['idCantiere'] : null;
$nomeCantiere = isset($_POST['nomeCantiere']) ? $_POST['nomeCantiere'] : null;
$sql = $mysqli->prepare("INSERT INTO Cantiere (idCantiere,nomeCantiere) VALUES(?.?)");
$sql->bind_param("is",$idCantiere,$nomeCantiere);
if($sql->execute()){
//success message
}else{
//return error
}
?>
A prepared statement is a feature used to execute the same (or similar) SQL statements repeatedly with high efficiency. 预准备语句是用于以高效率重复执行相同(或类似)SQL语句的功能。
Prepared statements basically work like this: 准备好的语句基本上是这样的:
Prepare: An SQL statement template is created and sent to the database. 准备:创建SQL语句模板并将其发送到数据库。 Certain values are left unspecified, called parameters (labeled "?"). 某些值未指定,称为参数(标记为“?”)。 Example: INSERT INTO MyGuests VALUES(?, ?, ?) The database parses, compiles, and performs query optimization on the SQL statement template, and stores the result without executing it Execute: At a later time, the application binds the values to the parameters, and the database executes the statement. 示例:INSERT INTO MyGuests VALUES(?,?,?)数据库在SQL语句模板上解析,编译和执行查询优化,并存储结果而不执行它执行:稍后,应用程序将值绑定到参数,数据库执行语句。 The application may execute the statement as many times as it wants with different values Compared to executing SQL statements directly, prepared statements have three main advantages: 应用程序可以根据需要多次执行语句,使用不同的值与直接执行SQL语句相比,预准备语句有三个主要优点:
Prepared statements reduce parsing time as the preparation on the query is done only once (although the statement is executed multiple times) Bound parameters minimize bandwidth to the server as you need send only the parameters each time, and not the whole query Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. 准备语句减少了解析时间,因为查询的准备只进行一次(尽管语句执行多次)绑定参数最小化了服务器的带宽,因为您每次只需要发送参数,而不是整个查询Prepared语句非常对SQL注入有用,因为以后使用不同协议传输的参数值无需正确转义。 If the original statement template is not derived from external input, SQL injection cannot occur. 如果原始语句模板不是从外部输入派生的,则不能进行SQL注入。
解决方案2
0 2019-03-04 11:04:28
You have to pass the connection variable as first parameter Eg: 您必须将连接变量作为第一个参数Eg传递:
$con=mysqli_connect("localhost","my_user","my_password","my_db");
$age = mysqli_real_escape_string($con, $_POST['age']);
Checkout documentation for more detail. 结帐文档了解更多详情。 http://php.net/manual/en/mysqli.real-escape-string.php http://php.net/manual/en/mysqli.real-escape-string.php
解决方案3
0 2019-03-04 11:04:37
你在函数mysqli_real_escape_string($con,$sql);中缺少一个参数mysqli_real_escape_string($con,$sql);
解决方案4
0 2019-03-04 11:04:42
You can try to replace quote with php 您可以尝试用php替换引号
$nomeCantiere = $_POST["nomeCantiere"];
str_replace("'", "''", $nomeCantiere );
if you insert 2 quotes ( '' ) instead of one mysql will put that value in the table with only 1 quote 如果你插入2个引号('')而不是一个mysql将只在1个引号中放入该值
解决方案5
0 已采纳 2019-03-04 11:12:49
You are wrong to pass parameters to the mysqli_real_escape_string () function before inserting the post you must put the connection string with which you access the DB 在插入帖子之前将参数传递给mysqli_real_escape_string()函数是错误的,必须放置用于访问数据库的连接字符串
$connection=mysqli_connect("localhost","USER","PASSWORD","DB");
$nomeCantiere= mysqli_real_escape_string($connection, $_POST['nomeCantiere']);
your second attempt is wrong reuses my line of code in the first .. during the post 你的第二次尝试是错误的,在帖子中重用我的第一行代码
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.