stackoom
  简体   繁体   中英

mysqli_real_escape_string doesn't insert into db

 原文  2019-03-04 10:58:42       php/ html/ mysql/ database

Question

I propose the following question ... I have to make sure that the following query also accept values ​​with the quotes inside .. I tried using mysqli_real_escape_string but it did not work .. I am attaching my attempts ..

1° Put the function during the post 

        $idCantiere = $_POST["idCantiere"];
        $nomeCantiere = mysqli_real_escape_string($_POST["nomeCantiere"]);
        $sql = "INSERT INTO Cantiere( 
        idCantiere,
        nomeCantiere)
        VALUES(
       '$idCantiere',
       '$nomeCantiere')";
        if (mysqli_query($mysqli, $sql)) 
        {
        echo "<script type='text/javascript'>alert('Cantiere Inserto'); 
        </script>";
        } else
        {
         echo "Error: " . $sql . "" . mysqli_error($mysqli);
        }

2° Put the function during the query 

 $idCantiere = $_POST["idCantiere"];
        $nomeCantiere = $_POST["nomeCantiere"];
        $sql = "INSERT INTO Cantiere( 
        idCantiere,
        nomeCantiere)
        VALUES(
       '$idCantiere',
       mysqli_real_escape_string('$nomeCantiere'))";
        if (mysqli_query($mysqli, $sql)) 
        {
        echo "<script type='text/javascript'>alert('Cantiere Inserto'); 
        </script>";
        } else
        {
         echo "Error: " . $sql . "" . mysqli_error($mysqli);
        }

How can I solve the problem?

5 answers

solution1
 3  2019-03-04 11:04:10

Drop the mysqli_real_escape_string() and just use prepared statements which is simple and prevents sql injections. 

<?php

    $idCantiere = isset($_POST['idCantiere']) ? $_POST['idCantiere'] : null;
    $nomeCantiere = isset($_POST['nomeCantiere']) ? $_POST['nomeCantiere'] : null;


        $sql = $mysqli->prepare("INSERT INTO Cantiere (idCantiere,nomeCantiere) VALUES(?.?)");
        $sql->bind_param("is",$idCantiere,$nomeCantiere);

        if($sql->execute()){

           //success message
        }else{

            //return error
        }


?>

A prepared statement is a feature used to execute the same (or similar) SQL statements repeatedly with high efficiency.

Prepared statements basically work like this:

Prepare: An SQL statement template is created and sent to the database. Certain values are left unspecified, called parameters (labeled "?"). Example: INSERT INTO MyGuests VALUES(?, ?, ?) The database parses, compiles, and performs query optimization on the SQL statement template, and stores the result without executing it Execute: At a later time, the application binds the values to the parameters, and the database executes the statement. The application may execute the statement as many times as it wants with different values Compared to executing SQL statements directly, prepared statements have three main advantages:

Prepared statements reduce parsing time as the preparation on the query is done only once (although the statement is executed multiple times) Bound parameters minimize bandwidth to the server as you need send only the parameters each time, and not the whole query Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

solution2
 0  2019-03-04 11:04:28

You have to pass the connection variable as first parameter Eg: 

$con=mysqli_connect("localhost","my_user","my_password","my_db");
$age = mysqli_real_escape_string($con, $_POST['age']);

Checkout documentation for more detail. http://php.net/manual/en/mysqli.real-escape-string.php

solution3
 0  2019-03-04 11:04:37

你在函数mysqli_real_escape_string($con,$sql);中缺少一个参数mysqli_real_escape_string($con,$sql);

solution4
 0  2019-03-04 11:04:42

You can try to replace quote with php 

$nomeCantiere = $_POST["nomeCantiere"];
str_replace("'", "''", $nomeCantiere );

if you insert 2 quotes ( '' ) instead of one mysql will put that value in the table with only 1 quote

solution5
 0 ACCPTED  2019-03-04 11:12:49

You are wrong to pass parameters to the mysqli_real_escape_string () function before inserting the post you must put the connection string with which you access the DB 

$connection=mysqli_connect("localhost","USER","PASSWORD","DB");
$nomeCantiere= mysqli_real_escape_string($connection, $_POST['nomeCantiere']);

your second attempt is wrong reuses my line of code in the first .. during the post

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question mysqli_real_escape_string doesn't seem to be working How to insert serialized array in MySQL DB using mysqli_real_escape_string() mysqli_real_escape_string mysqli link? mySQLI - problem with mysqli_real_escape_string database doesn't allow special chars even after using mysqli_real_escape_string mysqli_real_escape_string() isn't functioning properly mysqli_real_escape_string () can't find my $connSQL mysqli_real_escape_string for int PHP:Mysqli_real_escape_string mysqli_real_escape_string() conversion assistance
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM