stackoom
  简体   繁体   中英

How to upgrade from mysql_* to mysqli_*?

 原文  2013-04-25 16:25:36       php/ mysql/ mysqli/ prepared-statement

Question

I'm currently using deprecated code to get data from users, as follows: 

/* retrieve */
$lastName = $_POST['lastName']; 
$firstName = $_POST['firstName']; 
$examLevel=$_POST['level'];

/* connect */
$dbc=mysql_connect("localhost", "user", "passw") or die('Error connecting to MySQL server');
mysql_select_db("db") or die('Error selecting database.');

/* sanitize */
$lastName=mysql_real_escape_string($lastName);
$firstName=mysql_real_escape_string($firstName); 
$examLevel=mysql_real_escape_string($examLevel);


/* insert */
$query_personal = "INSERT INTO personal (LastName, FirstName) VALUES  ('$lastName', '$firstName')";

$query_exam = "INSERT INTO exam (Level, Centre, BackupCentre, etc.) VALUES ('$examLevel', '$centre', '$backup', 'etc')";

This is working but I keep coming across warnings about security and lack of support. There's a small rewrite to connect with mysqli instead of mysql but what about mysqli_real_escape_string ? I've seen it used in examples but I've also seen advice to use prepared statements instead which don't use mysqli_real_escape_string.

And how would I use prepared statements to INSERT my data? I'm a bit at sea with this bit so far. For example, is parameter binding only for INSERTs and result binding only for SELECTs?

2 answers

solution1
 0  2013-04-25 16:45:28

see this pages for converting mysql into mysqli

Converting_to_MySQLi

https://wikis.oracle.com/display/mysql/Converting+to+MySQLi

and see mysqli_real_escape_string manual that explain about mysqli_real_escape_string and Security problem and how to solve it.

php.net:

Security: the default character set

The character set must be set either at the server level, or with the API function mysqli_set_charset() for it to affect mysqli_real_escape_string(). See the concepts section on character sets for more information.

see this page for query for insert data

see this page for prepare data for inserting to mysql

and http://php.net/manual/de/mysqli.quickstart.prepared-statements.php

solution2
 0 ACCPTED  2013-04-25 16:50:40

Convert it to PDO 

/* connect */
$dsn = "mysql:host=localhost;db=test;charset=utf8";
$opt = array(
    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);
$pdo = new PDO($dsn,"user", "passw", $opt);


/* insert */
$query = "INSERT INTO personal (LastName, FirstName) VALUES  (?, ?)";
$stmt  = $pdo->prepare($query);
$stmt->execute(array($_POST['lastName'],$_POST['firstName']));

$query = "INSERT INTO exam (Level, Centre, BackupCentre, etc) VALUES (?, ?, ?, 'etc')";
$stmt  = $pdo->prepare($query);
$stmt->execute(array($_POST['level'], $centre, $backup));

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP Migrating from mysql_* to mysqli_ mysqli_* or mysql_* performance? mysql_ to mysqli_ Conversion Problems Converting mysql_* to mysqli_* issue Using mysqli_ functions with mysql_ connection? Can I blindly replace all mysql_ functions with mysqli_? How do I convert a script using mysql_ functions to use mysqli_ functions? Find/replace mysql_ to mysqli_ makes code nonfunctional Convert an old mysql_ code into mysqli_ queries PHP/mysql: Is changing (SELECT, {resource}) to ({resource}, SELECT) a viable temporary patch for mysql_* to mysqli_*?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM