[英]mysqli_real_escape_string() isn't functioning properly
我有以下PHP函數:
public function signup() { $mysql = mysqli_connect(HOSTNAME, USERNAME, PASSWORD, DATABASE); if (mysqli_connect_errno($mysql)) { $this->viewModel->set("pageTitle", "Signup"); $this->viewModel->set("message", "There was an error connecting to the server."); return $this->viewModel; } if ($result = $mysql->query("SELECT id FROM mailinglist WHERE email='" . $this->email . "';")) { if ($result->num_rows == 0) { $mysql->query("INSERT INTO mailinglist (email) VALUES ('" . $this->email . "');"); $this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . "."); } else { $this->viewModel->set("message", "You are already signed up for updates!"); } } else { $this->viewModel->set("message", "There was an error adding you the mailing list."); } $this->viewModel->set("pageTitle", "Signup"); return $this->viewModel; }
可以正常運行並返回我想要的結果,但是,如果我嘗試對查詢使用mysqli_real_escape_string(),它將無法正常工作。 也就是說,下面的代碼
public function signup() { $mysql = mysqli_connect(HOSTNAME, USERNAME, PASSWORD, DATABASE); if (mysqli_connect_errno($mysql)) { $this->viewModel->set("pageTitle", "Signup"); $this->viewModel->set("message", "There was an error connecting to the server."); return $this->viewModel; } $query = $mysql->real_escape_string("SELECT id FROM mailinglist WHERE email='" . $this->email . "';"); if ($result = $mysql->query($query)) { if ($result->num_rows == 0) { $query = $mysql->real_escape_string("INSERT INTO mailinglist (email) VALUES ('" . $this->email . "');"); $mysql->query($query); $this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . "."); } else { $this->viewModel->set("message", "You are already signed up for updates!"); } } else { $this->viewModel->set("message", "There was an error adding you the mailing list."); } $this->viewModel->set("pageTitle", "Signup"); return $this->viewModel; }
不起作用。 連接不是問題,我嘗試使用mysqli_real_escape_string()代替$ mysql-> real_escape_string(),但它們都不起作用。 誰能看到這段代碼有什么問題嗎?
不要這樣做,請使用准備好的語句。 它們更安全,更可靠。 您仍然需要清理數據以獲得適當的價值,並跨站點編寫腳本以列舉仍然會遇到的一些風險。 數據轉義是防止SQL注入的一種方法,但這並不是充分的證明。 准備好的語句告訴DB服務器假定傳入的數據是不安全的,只接受它,而不要像連接的字符串那樣處理它。 數據庫采用您的參數,就像它們是語句的變量而不是語句的一部分一樣。
您可以通過以下方式將其更改為准備好的語句:
$stmt=$mysql->prepare("SELECT id FROM mailinglist WHERE email=?");
$stmt->bind_param('s',$this->email);
$result=$stmt->execute();
if ($result) {
if ($result->num_rows == 0) {
$stmt=$mysql->prepare("INSERT INTO mailinglist (email) VALUES (?)");
$stmt->bind_param('s', $this->email);
$stmt->execute();
$this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . ".");
} else {
$this->viewModel->set("message", "You are already signed up for updates!");
}
} else {
$this->viewModel->set("message", "There was an error adding you the mailing list.");
}
您必須轉義數據而不是整個查詢。
public function signup() {
$mysql = mysqli_connect(HOSTNAME, USERNAME, PASSWORD, DATABASE);
if (mysqli_connect_errno($mysql)) {
$this->viewModel->set("pageTitle", "Signup");
$this->viewModel->set("message", "There was an error connecting to the server.");
return $this->viewModel;
}
$query = "SELECT id FROM mailinglist WHERE email='" .$mysql->real_escape_string( $this->email ). "'"
if ($result = $mysql->query($query)) {
if ($result->num_rows == 0) {
$query = "INSERT INTO mailinglist (email) VALUES ('" . $mysql->real_escape_string($this->email) . "')";
$mysql->query($query);
$this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . ".");
} else {
$this->viewModel->set("message", "You are already signed up for updates!");
}
} else {
$this->viewModel->set("message", "There was an error adding you the mailing list.");
}
$this->viewModel->set("pageTitle", "Signup");
return $this->viewModel;
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.