使用 mysqli_real_escape_string 时查询不 运行
Query does not run when using mysqli_real_escape_string
我正在将旧脚本转换为与 MySQLi 兼容,运行 出现问题...
$link = mysqli_connect("localhost", "user", "password", "database");
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$myQuery = "INSERT INTO table (name, description) VALUES ('$name', '$description')";
if (!mysqli_query($link, $myQuery)) {
printf('Error');
} else {
printf('Success');
}
mysqli_close($link);
这工作正常,没有错误。但是当我添加 mysqli_real_escape_string() 我得到一个错误...
$link = mysqli_connect("localhost", "user", "password", "database");
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$myQuery = "INSERT INTO table (name, description) VALUES ('$name', '$description')";
$myQuery = mysqli_real_escape_string($link, $myQuery);
if (!mysqli_query($link, $myQuery)) {
printf('Error');
} else {
printf('Success');
}
mysqli_close($link);
这returns一个错误:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '\'TestName\', \'TestDescription\' at line 1
我是不是漏掉了一些简单的东西?引号?
这一行:
$myQuery = mysqli_real_escape_string($link, $myQuery);
不对。
您需要使用 $name 变量而不是 $myQuery 变量。那是需要转义的,而不是整个查询本身。
$myQuery = mysqli_real_escape_string($link, $name);
但是,^ $myQuery 应替换为要插入的每个变量。
您的查询应该更像这样:
$name = "TestName";
$description = "TestDescription";
$name = mysqli_real_escape_string($link, $name);
$description = mysqli_real_escape_string($link, $description);
$myQuery = "INSERT INTO `table` (name, description) VALUES ('$name', '$description')";
if (!mysqli_query($link, $myQuery)) {
printf('Error');
} else {
printf('Success');
}
备注:
您可能需要考虑使用 mysqli with prepared statements, or PDO with prepared statements,它们更安全。
另外,仅供讨论; table 是一个 MySQL reserved word 应该是 table 的实际名称并且需要转义:
$myQuery = "INSERT INTO `table`
- 只是一个见解。
mysqli 准备语句的示例:
$variable_1 = "Text";
$variable_2 = "More text";
$stmt = $link->prepare("INSERT INTO table_name
(column_1, column_2)
VALUES (?,?)");
$stmt->bind_param('ss', $variable_1, $variable_2);
$stmt->execute();
- 旁注:
s 用于字符串
PDO 预处理语句示例:
$dbh = new PDO('mysql:host=localhost;dbname=your_DB', $user, $pass);
$var_1 = "Text";
$var_2 = "More text";
$stmt = $dbh->prepare("INSERT INTO table_name
(column_1, column_2)
VALUES (:var_1,:var_2)");
$stmt->execute(array(':var_1' => $var_1, ':var_2' => $var_2));
我正在将旧脚本转换为与 MySQLi 兼容,运行 出现问题...
$link = mysqli_connect("localhost", "user", "password", "database");
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$myQuery = "INSERT INTO table (name, description) VALUES ('$name', '$description')";
if (!mysqli_query($link, $myQuery)) {
printf('Error');
} else {
printf('Success');
}
mysqli_close($link);
这工作正常,没有错误。但是当我添加 mysqli_real_escape_string() 我得到一个错误...
$link = mysqli_connect("localhost", "user", "password", "database");
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$myQuery = "INSERT INTO table (name, description) VALUES ('$name', '$description')";
$myQuery = mysqli_real_escape_string($link, $myQuery);
if (!mysqli_query($link, $myQuery)) {
printf('Error');
} else {
printf('Success');
}
mysqli_close($link);
这returns一个错误:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'TestName\', \'TestDescription\' at line 1
我是不是漏掉了一些简单的东西?引号?
这一行:
$myQuery = mysqli_real_escape_string($link, $myQuery);
不对。
您需要使用 $name 变量而不是 $myQuery 变量。那是需要转义的,而不是整个查询本身。
$myQuery = mysqli_real_escape_string($link, $name);
但是,^ $myQuery 应替换为要插入的每个变量。
您的查询应该更像这样:
$name = "TestName";
$description = "TestDescription";
$name = mysqli_real_escape_string($link, $name);
$description = mysqli_real_escape_string($link, $description);
$myQuery = "INSERT INTO `table` (name, description) VALUES ('$name', '$description')";
if (!mysqli_query($link, $myQuery)) {
printf('Error');
} else {
printf('Success');
}
备注:
您可能需要考虑使用 mysqli with prepared statements, or PDO with prepared statements,它们更安全。
另外,仅供讨论; table 是一个 MySQL reserved word 应该是 table 的实际名称并且需要转义:
$myQuery = "INSERT INTO `table`
- 只是一个见解。
mysqli 准备语句的示例:
$variable_1 = "Text";
$variable_2 = "More text";
$stmt = $link->prepare("INSERT INTO table_name
(column_1, column_2)
VALUES (?,?)");
$stmt->bind_param('ss', $variable_1, $variable_2);
$stmt->execute();
- 旁注:
s用于字符串
PDO 预处理语句示例:
$dbh = new PDO('mysql:host=localhost;dbname=your_DB', $user, $pass);
$var_1 = "Text";
$var_2 = "More text";
$stmt = $dbh->prepare("INSERT INTO table_name
(column_1, column_2)
VALUES (:var_1,:var_2)");
$stmt->execute(array(':var_1' => $var_1, ':var_2' => $var_2));