堆棧內存溢出
  簡體   English   中英

mysqli_real_escape_string()無法正常運行

[英]mysqli_real_escape_string() isn't functioning properly

 原文  2013-11-05 03:44:35       php/ mysql/ mysqli

問題描述

我有以下PHP函數: 

public function signup() {
        $mysql = mysqli_connect(HOSTNAME, USERNAME, PASSWORD, DATABASE);
        if (mysqli_connect_errno($mysql)) {
            $this->viewModel->set("pageTitle", "Signup");
            $this->viewModel->set("message", "There was an error connecting to the server.");
            return $this->viewModel;
        }
        if ($result = $mysql->query("SELECT id FROM mailinglist WHERE email='" . $this->email . "';")) {
            if ($result->num_rows == 0) {
                $mysql->query("INSERT INTO mailinglist (email) VALUES ('" . $this->email . "');");
                $this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . ".");
            } else {
                $this->viewModel->set("message", "You are already signed up for updates!");
            }
        } else {
            $this->viewModel->set("message", "There was an error adding you the mailing list.");
        }
        $this->viewModel->set("pageTitle", "Signup");
        return $this->viewModel;
    }

可以正常運行並返回我想要的結果,但是,如果我嘗試對查詢使用mysqli_real_escape_string(),它將無法正常工作。 也就是說,下面的代碼 

public function signup() {
        $mysql = mysqli_connect(HOSTNAME, USERNAME, PASSWORD, DATABASE);
        if (mysqli_connect_errno($mysql)) {
            $this->viewModel->set("pageTitle", "Signup");
            $this->viewModel->set("message", "There was an error connecting to the server.");
            return $this->viewModel;
        }
        $query = $mysql->real_escape_string("SELECT id FROM mailinglist WHERE email='" . $this->email . "';");
        if ($result = $mysql->query($query)) {
            if ($result->num_rows == 0) {
                $query = $mysql->real_escape_string("INSERT INTO mailinglist (email) VALUES ('" . $this->email . "');");
                $mysql->query($query);
                $this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . ".");
            } else {
                $this->viewModel->set("message", "You are already signed up for updates!");
            }
        } else {
            $this->viewModel->set("message", "There was an error adding you the mailing list.");
        }
        $this->viewModel->set("pageTitle", "Signup");
        return $this->viewModel;
    }

不起作用。 連接不是問題,我嘗試使用mysqli_real_escape_string()代替$ mysql-> real_escape_string(),但它們都不起作用。 誰能看到這段代碼有什么問題嗎?

2 個解決方案

解決方案1
 1  2013-11-05 04:31:30

不要這樣做,請使用准備好的語句。 它們更安全,更可靠。 您仍然需要清理數據以獲得適當的價值,並跨站點編寫腳本以列舉仍然會遇到的一些風險。 數據轉義是防止SQL注入的一種方法,但這並不是充分的證明。 准備好的語句告訴DB服務器假定傳入的數據是不安全的,只接受它,而不要像連接的字符串那樣處理它。 數據庫采用您的參數,就像它們是語句的變量而不是語句的一部分一樣。

您可以通過以下方式將其更改為准備好的語句: 

$stmt=$mysql->prepare("SELECT id FROM mailinglist WHERE email=?");
$stmt->bind_param('s',$this->email);
$result=$stmt->execute();
if ($result) {
    if ($result->num_rows == 0) {
        $stmt=$mysql->prepare("INSERT INTO mailinglist (email) VALUES (?)");
        $stmt->bind_param('s', $this->email);
        $stmt->execute();
        $this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . ".");
     } else {
        $this->viewModel->set("message", "You are already signed up for updates!");
     }
} else {
     $this->viewModel->set("message", "There was an error adding you the mailing list.");

}

解決方案2
 -1  2013-11-05 04:01:30

您必須轉義數據而不是整個查詢。 

public function signup() {
        $mysql = mysqli_connect(HOSTNAME, USERNAME, PASSWORD, DATABASE);
        if (mysqli_connect_errno($mysql)) {
            $this->viewModel->set("pageTitle", "Signup");
            $this->viewModel->set("message", "There was an error connecting to the server.");
            return $this->viewModel;
        }
       $query = "SELECT id FROM mailinglist WHERE email='" .$mysql->real_escape_string( $this->email ). "'"
        if ($result = $mysql->query($query)) {
            if ($result->num_rows == 0) {
               $query = "INSERT INTO mailinglist (email) VALUES ('" . $mysql->real_escape_string($this->email) . "')";
                $mysql->query($query);
                $this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . ".");
            } else {
                $this->viewModel->set("message", "You are already signed up for updates!");
            }
        } else {
            $this->viewModel->set("message", "There was an error adding you the mailing list.");
        }
        $this->viewModel->set("pageTitle", "Signup");
        return $this->viewModel;
    }

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 mysqli_real_escape_string無法正常工作 如何正確使用mysqli_real_escape_string mysqli_real_escape_string mysqli鏈接? mySQLI-mysqli_real_escape_string問題 mysqli_real_escape_string不會插入到db中 mysqli_real_escape_string似乎不起作用 mysqli_real_escape_string()找不到我的$ connSQL mysqli_real_escape_string 用於 int PHP的:Mysqli_real_escape_string mysqli_real_escape_string()轉換幫助
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM