寻求有关 MySQL 查询转义数据的帮助

发布于 2024-09-03 10:07:32 字数 791 浏览 5 评论 0原文

请不要向我发送引用 mysql_real_escape_string 作为唯一响应的 php.net 链接。我已通读该页面,虽然我了解一般概念,但根据我的 INSERT 语句当前的构建方式,我遇到了一些麻烦。

今天,我使用以下内容:

$sql = "INSERT INTO tablename VALUES ('', 
                                      '$_SESSION['Member1FirstName'], 
                                      '$_SESSION['Member1LastName'], 
                                      '$_SESSION['Member1ID'], 
                                      '$_SESSION['Member2FirstName'], 
                                      '$_SESSION['Member2LastName'], 
                                      '$_SESSION['Member2ID'] ....)

该列表包含 20 多个成员,并输入了一些其他值。示例中的大多数人似乎已经将所有数据存储在数组中。

在我的网站上,我接受表单输入,action="" 设置为 self,进行 php 验证,如果验证通过,数据将存储到第 2 页上的 SESSION 变量中,然后重定向到流程中的下一页(第 3 页)(整个过程大约8-10页)。

Please don't send me a link to php.net referencing mysql_real_escape_string as the only response. I have read through the page and while I understand the general concepts, I am having some trouble based on how my INSERT statement is currently built.

Today, I am using the following:

$sql = "INSERT INTO tablename VALUES ('', 
                                      '$_SESSION['Member1FirstName'], 
                                      '$_SESSION['Member1LastName'], 
                                      '$_SESSION['Member1ID'], 
                                      '$_SESSION['Member2FirstName'], 
                                      '$_SESSION['Member2LastName'], 
                                      '$_SESSION['Member2ID'] ....)

and the list goes on for 20+ members with some other values entered. It seems most people in the examples already have all their data stored in an array.

On my site, I accept form inputs, action="" is set to self, php validation takes place and if validation passes, data is stored into SESSION variables on page 2 then redirected to the next page in the process (page 3) (approximately 8-10 pages in the whole process).

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

舞袖。长 2024-09-10 10:07:32

您似乎已经知道应该使用 mysql_real_escape_string但我猜你不知道如何使用。您需要将其应用于插入到 SQL 中的每个用户提供的字符串。以下示例应该澄清这一点:

$sql = "INSERT INTO tablename VALUES ('', '" .
    mysql_real_escape_string($_SESSION['Member1FirstName']) . "', '" .
    mysql_real_escape_string($_SESSION['Member1LastName']) . "', '" .
    etc..

或者查看 prepared语句和绑定参数以获得更简单(更快)的解决方案。

You seem to already know that you should be using mysql_real_escape_string but I guess you don't know how to use. You need to apply it for each user supplied string you insert into your SQL. The following example should clarify this:

$sql = "INSERT INTO tablename VALUES ('', '" .
    mysql_real_escape_string($_SESSION['Member1FirstName']) . "', '" .
    mysql_real_escape_string($_SESSION['Member1LastName']) . "', '" .
    etc..

Or alternatively look into prepared statements and bind parameters for an easier (and faster) solution.

深空失忆 2024-09-10 10:07:32
  1. 您缺少结束单引号,并且单引号内的变量不会被替换。

  2. mysql_real_escape_string 就是答案,但是用 sprintf 尝试一下:

    $sql = sprintf("INSERT INTO 表名 VALUES ('', '%s', '%s', '%d' )",
    mysql_real_escape_string( $_SESSION['Member1FirstName']),
    mysql_real_escape_string( $_SESSION['Member1LastName']),
    $_SESSION['Member1ID']); // %d 强制将其作为数字

https://www.php.net /manual/en/function.sprintf.php

  1. you're missing your closing single-quote and vars aren't replaced inside of single quotes.

  2. mysql_real_escape_string is the answer, but try it with sprintf:

    $sql = sprintf("INSERT INTO tablename VALUES ('', '%s', '%s', '%d' )",
    mysql_real_escape_string( $_SESSION['Member1FirstName']),
    mysql_real_escape_string( $_SESSION['Member1LastName']),
    $_SESSION['Member1ID']); // %d forced it as a digit

https://www.php.net/manual/en/function.sprintf.php

雨后咖啡店 2024-09-10 10:07:32

为什么不能使用mysql_real_escape_string?

您还可以使用正则表达式仅允许名称中预期的某些字符

Why can't you use mysql_real_escape_string?

You can also use a regexp to only allow certain characters that would be expected in a name

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文