[英]How should I use mysql_query?
I'm having some problems with this function in the next code: 在下一个代码中,此函数存在一些问题:
if(!($_SESSION['autenticado']))
if($_POST["user"] && $_POST["pass"])
{
$user=$_POST["user"];
$con=mysql_connect("localhost","root","3270");
mysql_select_db("futbol",$con);
$query = "SELECT us_pass FROM user WHERE us_nom = '$user'";
print_r($query);
mysql_real_escape_string($query);
mysql_query($query)or die mysql_error();
//print_r($pas);
//$_SESSION["autenticado"]=1;
}
Am I using it wrowng? 我在用它吗?
You need to call mysql_real_escape_string
on the string that needs escaping, not the whole query: 您需要在需要转义的字符串而不是整个查询上调用mysql_real_escape_string
:
$user = mysql_real_escape_string($user);
$query = "SELECT us_pass FROM user WHERE us_nom = '$user'";
Addendum: if you are just exploring PHP's database integration, I'd urge you to have a look at PDO , which is a far more sophisticated and secure way of handling database operations. 附录:如果您只是在探索PHP的数据库集成,我敦促您看一下PDO ,它是处理数据库操作的更为复杂和安全的方式。
Note also that you're not actually doing anything with mysql_query
. 还要注意,您实际上并没有使用mysql_query
做任何事情。 This returns a resource, that you can then use to get information. 这将返回一个资源,您可以将其用于获取信息。 For example, to get the password returned, use the following: 例如,要获取返回的密码,请使用以下命令:
$result = mysql_query($query);
while ($row = mysql_fetch_assoc($result)) {
$password = $row['us_pass'];
}
To answer your question, you are using it wrong, you want to call the escape function on just the input, not the entire query: 要回答您的问题,您使用的是错误的,您只想对输入而不是整个查询调用转义函数:
$user = mysql_real_escape_string($user);
That said, mysql_*
functions are deprecated and you should be using either PDO or MySQLi . 也就是说,不建议使用mysql_*
函数,您应该使用PDO或MySQLi 。 Here's an example of a much better way to do it, using PDO: 这是使用PDO更好的方法的示例:
$con = new PDO('mysql:dbname=futbol;host=127.0.0.1', 'root', '3270');
$stmt = $con->prepare('SELECT us_pass FROM user WHERE us_nom = :user');
$stmt->execute(array('user' => $user));
$result = $stmt->fetchAll();
mysql_real_escape_string
Should be escaping $user
before it's inserted in to the SQL query, then passed directly off to mysql_query
. mysql_real_escape_string
在插入到SQL查询之前应该转义$user
,然后直接传递给mysql_query
。 The purpose of this is to avoid $_POST['user']
from having apostrophes in it that could otherwise foul up the query (since your user value is already surrounded in them. 这样做的目的是避免$_POST['user']
中带有撇号,否则可能导致查询混乱(因为您的用户值已经被它们包围了)。
eg if $_POST['user']
had joe'bob
as a value, your query would then become: 例如,如果$_POST['user']
将joe'bob
作为值,则您的查询将变为:
SELECT us_pass FROM user WHERE us_nom = 'joe'bob'
You can then see how a stray apostrophe could propose a problem. 然后,您可以查看流浪撇号如何提出问题。
Instead, try the following: 相反,请尝试以下操作:
if(!($_SESSION['autenticado']))
if($_POST["user"] && $_POST["pass"])
{
$con=mysql_connect("localhost","root","3270");
$user=mysql_real_escape_string($_POST["user"]); // escape your value here (and move below connection)
mysql_select_db("futbol",$con);
$query = "SELECT us_pass FROM user WHERE us_nom = '$user'";
print_r($query);
mysql_query($query) or die mysql_error();
//print_r($pas);
//$_SESSION["autenticado"]=1;
// here you would mysql_fetch_array/result/etc. and get what
// was returned from the database
}
Based on your comments to the other answers: You are sending your form using POST
and not GET
right? 根据您对其他答案的评论:您正在使用POST
发送表单,而不是GET
对吗?
The only reasons that you're not seeing anything are your if
conditions not being met, a problem connecting to the database or an error in your php (with errors suppressed); 你没有看到任何东西,唯一的原因是你的if
没有得到满足的条件下,连接到你的PHP数据库或一个错误的问题(有错误抑制); the script does not reach your print_r
statement. 该脚本未到达您的print_r
语句。
I´m not sure, but you also might want to use {}
for your first if
statement and clean-up your code a bit: I'd recommend isset()
instead of just feeding strings to if
statements. 我不确定,但是您可能还想在第一个if
语句中使用{}
并稍微清理一下代码:我建议使用isset()
而不是仅将字符串输入if
语句。
And check your error log. 并检查您的错误日志。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.