Fatal编程技术网
  • php/
  • Php SQLi对用户输入文本的保护

Php SQLi对用户输入文本的保护

php mysql

Php SQLi对用户输入文本的保护,php,mysql,mysqli,Php,Mysql,Mysqli,我通常会进行手动sqli参数检查(即检查输入是否是有效的电子邮件) 虽然在这种情况下,我需要将用户消息放入我的数据库中 这是怎么回事 我试过这段代码,但是整个输入都被删除了 <?php $text = "Hello World"; echo "$text is now "; $text = stripslashes($text); $text = mysqli_real_escape_string($text); echo $text; ?> 谢谢你 防止PHP中的S

我通常会进行手动sqli参数检查(即检查输入是否是有效的电子邮件)

虽然在这种情况下,我需要将用户消息放入我的数据库中

这是怎么回事

我试过这段代码,但是整个输入都被删除了

<?php

$text = "Hello World";

echo "$text is now ";

$text = stripslashes($text);
$text = mysqli_real_escape_string($text);

echo $text;

?>
谢谢你

防止PHP中的SQL注入:

//Escaping characters
$db->real_escape_string('This is an unescaped "string"');
//There is an alias function that you can use which is shorter and less to type: 
$db->escape_string('This is an unescape "string"');
您可以使用以下任何一种方式来实现此目的:

  • 对于(MySQL):

    注意:对于MySQLi的使用,可以使用程序样式或(推荐)

  • 对于(PDO是任何受支持的数据库驱动程序的通用解决方案):

    示例:

    //Escaping characters
$db->real_escape_string('This is an unescaped "string"');
//There is an alias function that you can use which is shorter and less to type: 
$db->escape_string('This is an unescape "string"');

    mysqli\u real\u escape\u string
    需要链接参数,这里没有链接参数,其余的我不明白你到底需要什么谢谢你的回答 
    try {
    $dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
    foreach($dbh->query('SELECT * from users') as $row) {
        print_r($row);
    }
    $dbh = null;
} catch (PDOException $e) {
    print "Error!: " . $e->getMessage() . "<br/>";
    die();
}

    $text = $db->mysqli_real_escape_string($text);

    //Escaping characters
$db->real_escape_string('This is an unescaped "string"');
//There is an alias function that you can use which is shorter and less to type: 
$db->escape_string('This is an unescape "string"');