stackoom
  简体   繁体   中英

Weird issue where mysql_real_escape_string is returning blank

 原文  2014-02-07 19:54:52       php/ mysql/ magento

Question

I am creating a magento module and and in the controller I am trying to generate a query. ex: "INSERT INTO ". $resource->getTableName('mymod/mymodtable')." SET "INSERT INTO ". $resource->getTableName('mymod/mymodtable')." SET pid ='".mysql_real_escape_string($pp['id'])."'"; On my local setup this works ok, and I get the expected id in pid . But as soon as I upload it to my server, that portion becomes blank. I know that the database connection exists, because it inserts a new row with blank pid on server. I have tried var_dump and it does prove that $pp['id'] has the value, yet mysql_real_escape_string returns blank. I also tried mysqli_real_escape_string , but nothing. Any ideas?

2 answers

solution1
 0  2014-02-07 19:59:10

Which database interface are you using? mysql_real_escape_string should be used only with mysql_query , and you shouldn't be using that interface if you can avoid it. Without a valid connection it may not function correctly.

When using mysqli you should be using parameterized queries and bind_param to add user data to your query. Calling the escaping function manually is usually a mistake.

If you're using Magento, you might want to look at how to escape values using the Magento database layer.

solution2
 0  2014-02-07 21:41:58

Per this previous question , you probably don't have a "database connection".

What's often confusing is, that when the mysql_real_escape_string documentation talks about a database connection, they specifically mean a database connection opened with the mysql_connect function.

If you're using Magento's standard objects to talk to the database, you don't have a mysql_connect connection, you have a PDO connection (via a Zend_Db_Adapter class ). PDO is designed to encourage parameterized queries.

So, your options here

  1. Go with the flow and build your queries using parameterized query strings. (if you can't figure out how a new questions with some code samples should set you right).

  2. The adapter object has a quote method which you can use to quote your strings

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Issue with mysql_real_escape_string() syntax Issue with mysql_real_escape_string() Issue with mysql_real_escape_string mysql_real_escape_string and ’ PHP mysql_real_escape_string() returning `NULL` Mysql_real_escape_string…is there an auto setting else where? Where should I do mysql_real_escape_string? Where to put “mysql_real_escape_string” in this code? Where to use mysql_real_escape_string to prevent SQL Injection? php - mysql_real_escape_string and varchar issue
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM