当前位置: 文江博客话题详情

如何在 PHP 中使用 mysql_real_escape_string 函数

发布于 2024-11-02 00:56:45 字数 1133 浏览 1 评论 0原文

因此,在我编写的这个程序中,我实际上使用表单从用户那里获取 SQL 查询。然后我继续在我的数据库上运行该查询。

我知道不要“信任”用户输入,所以我想对输入进行清理。我正在尝试使用 mysql_real_escape_string ,但未能成功使其正常工作。

根据输入,这是我正在尝试的: select * from Actor;

//"query" is the input string: 
$clean_string = mysql_real_escape_string($query, $db_connection); 
$rs = mysql_query($clean_string, $db_connection); 
if (!$rs) 
{ 
    echo "Invalid input!"; 
}

这总是给我

“输入无效!”

错误。

当我取出 clean_string 部分并在查询上运行 mysql_query 时,

“无效 输入“

消息不会输出。相反,当我这样做时:

$rs = mysql_query($query, $db_connection); 
if (!$rs) 
{ 
   echo "Invalid input!"; 
}

它不会输出

“输入无效”。

但是,我需要使用 mysql_real_escape_string 函数。我做错了什么?

更新:

给定 select * from Actor; 作为输入,我发现了以下内容。

使用 echo 语句我已经 发现在清理之前,字符串保存的值是: 从演员中选择*; 这是正确的。然而,消毒后,它持有不正确的 select *\r\nfrom Actor; 的值,因此出现错误消息。为什么是 mysql_real_escape_string 这样做吗?

原文

So in this program I'm writing, I actually grab a SQL query from the user using a form. I then go on to run that query on my database.

I know not to "trust" user input, so I want to do sanitization on the input. I'm trying to use mysql_real_escape_string but have been unsuccessful in getting it to work.

Here's what I'm trying, given the input:
select * from Actor;

//"query" is the input string: 
$clean_string = mysql_real_escape_string($query, $db_connection); 
$rs = mysql_query($clean_string, $db_connection); 
if (!$rs) 
{ 
    echo "Invalid input!"; 
}

This is ALWAYS giving me the

"Invalid input!"

error.

When I take out the clean_string part and just run mysql_query on query, the

"invalid
input"

message is not output. Rather, when I do this:

$rs = mysql_query($query, $db_connection); 
if (!$rs) 
{ 
   echo "Invalid input!"; 
}

It does NOT output

"invalid input".

However, I need to use the mysql_real_escape_string function. What am I doing wrong?

Update:

Given
select * from Actor; as an input, I've found the following.

Using echo statements I've
found that before sanitizing, the string holds the value:
select * from Actor;
which is correct. However, after sanitizing it holds the incorrect
value of select *\r\nfrom Actor;, hence the error message. Why is
mysql_real_escape_string doing this?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

蓝礼 2024-11-09 00:56:45

将其用于查询中的实际值,而不是整个查询字符串本身。

例子:

$username = mysql_real_escape_string($_POST['username']);
$query = "update table set username='$username' ...";
$rs = mysql_query($query);

use it on the actual values in your query, not the whole query string itself.

example:

$username = mysql_real_escape_string($_POST['username']);
$query = "update table set username='$username' ...";
$rs = mysql_query($query);
回复 原文
素年丶 2024-11-09 00:56:45

不要使用过时的 mysql 扩展,而是切换到 PDO准备好的语句参数不容易受到注入,因为它们将值与语句分开。准备好的语句和 PDO 还有其他优点,包括性能、易用性和附加功能。如果您需要教程,请尝试“使用 PHP 和 PDO 编写 MySQL 脚本”。

Rather than using the outdated mysql extension, switch to PDO. Prepared statement parameters aren't vulnerable to injection because they keep values separate from statements. Prepared statements and PDO have other advantages, including performance, ease of use and additional features. If you need a tutorial, try "Writing MySQL Scripts with PHP and PDO".

回复 原文
溺深海 2024-11-09 00:56:45

mysql_real_escape_string()字符串转义函数。它不会使任何输入安全,只是字符串,不能与 LIKE 子句一起使用,并且整数仍然需要以不同的方式处理。

一个更简单、更通用的示例可能是:

 $post = array_map("mysql_real_escape_string", $_POST);
 // cleans all input variables at once

 mysql_query("SELECT * FROM tbl WHERE id='$post[id]' 
                OR name='$post[name]' OR mtime<'$post[mtime]' ");
 // uses escaped $post rather than the raw $_POST variables

请注意,对于 SQL 字符串,每个变量仍必须用 ' 单引号括起来。 (否则转义就没有意义了。)

mysql_real_escape_string() is the string escaping function. It does not make any input safe, just string values, not for use with LIKE clauses, and integers need to be handled differently still.

An easier and more universal example might be:

 $post = array_map("mysql_real_escape_string", $_POST);
 // cleans all input variables at once

 mysql_query("SELECT * FROM tbl WHERE id='$post[id]' 
                OR name='$post[name]' OR mtime<'$post[mtime]' ");
 // uses escaped $post rather than the raw $_POST variables

Note how each variable must still be enclosed by ' single quotes for SQL strings. (Otherwise the escaping would be pointless.)

回复 原文
但可醉心 2024-11-09 00:56:45

您应该使用 mysql_real_escape_string 转义查询的参数,而不是整个查询本身。

例如,假设您有从表单收到的两个变量。然后,您的代码将如下所示:

$Query = sprintf(
    'INSERT INTO SomeTable VALUES("%s", "%s")', 
    mysql_real_escape_string($_POST['a'], $DBConnection),
    mysql_real_escape_string($_POST['b'], $DBConnection)
);

$Result = mysql_query($Query, $DBConnection);

You should use mysql_real_escape_string to escape the parameters to the query, not the entire query itself.

For example, let's say you have two variables you received from a form. Then, your code would look like this:

$Query = sprintf(
    'INSERT INTO SomeTable VALUES("%s", "%s")', 
    mysql_real_escape_string($_POST['a'], $DBConnection),
    mysql_real_escape_string($_POST['b'], $DBConnection)
);

$Result = mysql_query($Query, $DBConnection);
回复 原文
叹倦 2024-11-09 00:56:45

手册 mysql_real_escape_string()

转义字符串中的特殊字符
用于 SQL 语句

因此您无法转义整个查询,只能转义数据...因为它将转义所有不安全字符,例如引号(查询的有效部分)。

如果您尝试类似的操作(以转义整个查询)

echo mysql_real_escape_string("INSERT INTO some_table VALUES ('xyz', 'abc', '123');");

输出是

INSERT INTO some_table VALUES (\'xyz\',
\'abc\'、\'123\');

并且该查询不再有效

manual mysql_real_escape_string()

Escapes special characters in a string
for use in an SQL statement

So you can't escape entire query, just data... because it will escape all unsafe characters like quotes (valid parts of query).

If you try something like that (to escape entire query)

echo mysql_real_escape_string("INSERT INTO some_table VALUES ('xyz', 'abc', '123');");

Output is

INSERT INTO some_table VALUES (\'xyz\',
\'abc\', \'123\');

and that is not valid query any more.

回复 原文
软的没边 2024-11-09 00:56:45

这对我有用。德狼 (wtec.co)

<?php
// add data to db
require_once('../admin/connect.php');

$mysqli = new mysqli($servername, $username, $password, $dbname);

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$post = $mysqli->real_escape_string($_POST['name']);
$title = $mysqli->real_escape_string($_POST['message']);


/* this query with escaped $post,$title will work */
if ($mysqli->query("INSERT into press (title, post) VALUES ('$post', '$title')")) {
    printf("%d Row inserted.\n", $mysqli->affected_rows);
}

$mysqli->close();


//header("location:../admin"); 
?>

This worked for me. dwolf (wtec.co)

<?php
// add data to db
require_once('../admin/connect.php');

$mysqli = new mysqli($servername, $username, $password, $dbname);

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$post = $mysqli->real_escape_string($_POST['name']);
$title = $mysqli->real_escape_string($_POST['message']);


/* this query with escaped $post,$title will work */
if ($mysqli->query("INSERT into press (title, post) VALUES ('$post', '$title')")) {
    printf("%d Row inserted.\n", $mysqli->affected_rows);
}

$mysqli->close();


//header("location:../admin"); 
?>
回复 原文
~没有更多了~

关于作者

哭泣的笑容

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

留蓝

文章 0 评论 0

18790681156

文章 0 评论 0

zach7772

文章 0 评论 0

Wini

文章 0 评论 0

ayeshaaroy

文章 0 评论 0

初雪

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文