Php 有人能解释一下准备好的陈述吗?
我目前使用的是Php 有人能解释一下准备好的陈述吗?,php,mysql,sql-injection,Php,Mysql,Sql Injection,我目前使用的是mysql\u real\u escape\u string(),但听说有人使用“准备好的语句”。因此,我想知道这种方式mysql\u real\u escape\u string()是否仍然安全,但如果不安全,有人能解释一下我如何更改代码以允许准备语句吗 $conn=mysql_connect("localhost", "u611142741_list", "REDACTED"); mysql_select_db("u611142741_sugge", $conn); //
mysql\u real\u escape\u string()mysql\u real\u escape\u string()$conn=mysql_connect("localhost", "u611142741_list", "REDACTED");
mysql_select_db("u611142741_sugge", $conn);
// If the form has been submitted
if (trim($_POST["suggestion543"]) == "") {
echo "Error";
echo '<script language="javascript">';
echo 'alert("Invalid entry! Try Again.")';
echo '</script>';
echo '<script>';
echo 'setTimeout(function(){ window.location="" }, 500)';
echo '</script>';
} else {
$suggestion = mysql_real_escape_string($_POST['suggestion543']);
$ip = $_SERVER['REMOTE_ADDR'];
echo "Thank you for submitting your suggestion!";
echo '<script>';
echo 'setTimeout(function(){ window.location="" }, 2000)';
echo '</script>';
};
// Build an sql statment to add the student details
$sql="INSERT INTO suggestions
(`Suggestion`, `IP Address`) VALUES
('$suggestion','$ip')";
$result = mysql_query($sql,$conn);
// close connection
mysql_close($conn);
$conn=mysql\u connect(“本地主机”、“u611142741\u列表”、“修订版”);
mysql_select_db(“u611142741_sugge”,$conn);
//如果表格已经提交
如果(修剪($_POST[“suggestion543”])=“”){
回声“错误”;
回声';
回显“警报”(“无效条目!重试”);
回声';
回声';
echo“setTimeout(function(){window.location=”“},500)”;
回声';
}否则{
$suggestion=mysql\u real\u escape\u字符串($\u POST['suggestion543']);
$ip=$\u服务器['REMOTE\u ADDR'];
echo“感谢您提交您的建议!”;
回声';
echo“setTimeout(function(){window.location=”“},2000)”;
回声';
};
//构建sql语句以添加学生详细信息
$sql=“插入到建议中”
(`Suggestion`、`IP Address`)值
("建议","建议","知识产权");;
$result=mysql\u查询($sql,$conn);
//密切联系
mysql_close($conn);
mysql\u real\u escape\u string()mysql_*()prepare()/bindParam()/execute()mysql\u query()