使用 mysqli_real_escape_string 时查询不 运行

Query does not run when using mysqli_real_escape_string

我正在将旧脚本转换为与 MySQLi 兼容,运行 出现问题...

$link = mysqli_connect("localhost", "user", "password", "database");

if (mysqli_connect_errno()) {
     printf("Connect failed: %s\n", mysqli_connect_error());
     exit();
} 

$myQuery = "INSERT INTO table (name, description) VALUES ('$name', '$description')";

if (!mysqli_query($link, $myQuery)) {
    printf('Error');
} else {
    printf('Success');
}

mysqli_close($link);

这工作正常,没有错误。但是当我添加 mysqli_real_escape_string() 我得到一个错误...

$link = mysqli_connect("localhost", "user", "password", "database");

if (mysqli_connect_errno()) {
     printf("Connect failed: %s\n", mysqli_connect_error());
     exit();
} 

$myQuery = "INSERT INTO table (name, description) VALUES ('$name', '$description')";

$myQuery = mysqli_real_escape_string($link, $myQuery);

if (!mysqli_query($link, $myQuery)) {
    printf('Error');
} else {
    printf('Success');
}

mysqli_close($link);

这returns一个错误:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'TestName\', \'TestDescription\' at line 1

我是不是漏掉了一些简单的东西?引号?

这一行:

$myQuery = mysqli_real_escape_string($link, $myQuery);

不对。

您需要使用 $name 变量而不是 $myQuery 变量。那是需要转义的,而不是整个查询本身。

$myQuery = mysqli_real_escape_string($link, $name);

但是,^ $myQuery 应替换为要插入的每个变量。

您的查询应该更像这样:

$name = "TestName";
$description = "TestDescription";

$name = mysqli_real_escape_string($link, $name);
$description = mysqli_real_escape_string($link, $description);

$myQuery = "INSERT INTO `table` (name, description) VALUES ('$name', '$description')";

if (!mysqli_query($link, $myQuery)) {
    printf('Error');
} else {
    printf('Success');
}

备注:

您可能需要考虑使用 mysqli with prepared statements, or PDO with prepared statements它们更安全


另外,仅供讨论; table 是一个 MySQL reserved word 应该是 table 的实际名称并且需要转义:

$myQuery = "INSERT INTO `table`
  • 只是一个见解。

mysqli 准备语句的示例:

$variable_1 = "Text";
$variable_2 = "More text";

$stmt = $link->prepare("INSERT INTO table_name 
                        (column_1, column_2) 
                        VALUES (?,?)");

$stmt->bind_param('ss', $variable_1, $variable_2);
$stmt->execute();
  • 旁注:s 用于字符串

PDO 预处理语句示例:

$dbh = new PDO('mysql:host=localhost;dbname=your_DB', $user, $pass);

$var_1 = "Text";
$var_2 = "More text";

$stmt = $dbh->prepare("INSERT INTO table_name 
                       (column_1, column_2) 
                       VALUES (:var_1,:var_2)");

$stmt->execute(array(':var_1' => $var_1, ':var_2' => $var_2));