PHP MySql真实转义字符串不工作
我正在尝试读取和写入数据库。以下是我目前掌握的代码:PHP MySql真实转义字符串不工作,php,mysql,Php,Mysql,我正在尝试读取和写入数据库。以下是我目前掌握的代码: $mysql = mysqli_connect("example.com", "johndoe", "abc123"); // replace with actual credidentials $username = mysqli_real_escape_string("username"); $sql = "CREATE DATABASE IF NOT EXISTS dbname"; if (!mysqli_query($mysql, $
$mysql = mysqli_connect("example.com", "johndoe", "abc123"); // replace with actual credidentials
$username = mysqli_real_escape_string("username");
$sql = "CREATE DATABASE IF NOT EXISTS dbname";
if (!mysqli_query($mysql, $sql)) {
echo "Error creating database: " . mysqli_error($mysql);
}
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
mysqli_close($mysql);
$mysql = mysqli_connect("example.com", "johndoe", "abc123", "dbname"); // replace with actual credidentials
$sql = "CREATE TABLE IF NOT EXISTS Users(ID INT NOT NULL AUTO_INCREMENT, PRIMARY KEY(ID), username CHAR(15), password CHAR(15), email CHAR(50))";
if (!mysqli_query($mysql, $sql)) {
echo "Error creating table: " . mysqli_error($mysql);
}
$sql = "INSERT INTO Users(username, password, email) VALUES(" . $username . ", " . $password . ", " . $email . ")";
if (!mysqli_query($mysql, $sql)) {
echo "Error: " . mysqli_error($mysql);
}
mysqli_close($mysql);
但是,当我尝试运行它时,它有一个错误:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , )' at line 1
有谁能告诉我如何解决这个问题吗?像这样重写您的第二个SQL查询
$sql = "INSERT INTO Customers(`username`, `password`, `email`) VALUES ('$username','$password','$email')";
问题是有不正当的逃跑
旁注:
切换到PreparedStatements
更能抵御SQL注入攻击 使用prepred语句:它们自动转义参数
顺便说一句,上一个sql中的参数没有正确转义和连接。mysqli\u real\u escape\u字符串也需要连接参数
$username = mysqli_real_escape_string($mysql,"username");
在插入数据库之前对字符进行转义并使其干净
最后,在输出时,要在第页转义”
,请使用:
htmlspecialchars($quote_str,ENT_QUOTES)代码>或htmlentities($quote\u str,ENT\u QUOTES)代码>想要,但是这个程序中哪里有MySQL\u real\u escape\u字符串?它的拼写是“escape”,而不是“excape”。)哎呀,对不起,那是个打字错误。@inf3rno,我同意。旁注补充道。
<?php
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments
);
$output = preg_replace($search, '', $input);
return $output;
}
?>