[英]PHP array_map() and mysqli_real_escape_string()
I want to clean all the data before they will be sent to the database (in each database connection) 我想清除所有数据,然后将它们发送到数据库(在每个数据库连接中)
if(!get_magic_quotes_gpc()) {
$_GET = array_map('mysqli_real_escape_string', $_GET);
$_POST = array_map('mysqli_real_escape_string', $_POST);
$_COOKIE = array_map('mysqli_real_escape_string', $_COOKIE);
}
The Code above gives me the below error error 上面的代码给我下面的错误error
mysqli_real_escape_string() expects exactly 2 parameters, 1 given
Anyone knows a better way of achieving this? 有谁知道实现此目标的更好方法?
You are getting the error because you are using mysqli_real_escape_string
instead of mysqli_real_escape_string($connection,$_POST['data'])
its required two parameter. 之所以出现错误,是因为您使用的是
mysqli_real_escape_string
而不是mysqli_real_escape_string($connection,$_POST['data'])
它需要的两个参数。 mysqli_real_escape_string()
is ok to use but if you want to be safe from sql injection
you should use PDO prepare statement
.See below insert query. mysqli_real_escape_string()
可以使用,但是如果您想安全地进行sql injection
,则应该使用PDO prepare statement
参见下面的插入查询。
$prov_id = $_POST['prov_id'];
$practice_name = $_POST['prov_id'];
$connection = new PDO("mysql:host=xxxx;dbname=xxxx;", "xxxx", "xxxx"); //database connection
$statement = $connection->prepare('INSERT INTO practices(prov_id,practice_name) VALUES (:prov_id,:practice_name)');
$statement->bindParam(':prov_id', $prov_id);
$statement->bindParam(':practice_name', $practice_name_data);
// etc.
$statement->execute();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.