PHP和MySQL - 使用mysqli_real_escape_string的正确方法

I was wondering if the code below is the correct way to use mysqli_real_escape_string() when storing users data in a database.

Here is the PHP & MySQL code.

if (mysqli_num_rows($dbc) == 0) {
        $mysqli = mysqli_connect("localhost", "root", "", "sitename");
        $dbc = mysqli_query($mysqli,"INSERT INTO info (user_id, url) 
                                     VALUES ('$user_id', 'mysqli_real_escape_string($url)')");
}


if ($dbc == TRUE) {
        $dbc = mysqli_query($mysqli,"UPDATE info 
                                     SET url = 'mysqli_real_escape_string($url)' 
                                     WHERE user_id = '$user_id'");

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
douyeke2695 2010-04-01 17:06
关注
Almost: You need to put the function calls outside the string:

"... VALUES ('$user_id', '".mysqli_real_escape_string($url)."')");

Notice the closing " and the concatenating . before and after the function call.

And, we don't know where $user_id comes from. If it comes from the outside, that needs to be escaped, too.
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

php mysql_real_escape_string转换为mysqli [复制] html mysql php
2016-08-30 17:57

回答 3 已采纳 I think you want this <?php $con=mysqli_connect("localhost","my_user","my_password","my_db");
mysqli_real_escape_string（）返回空字符串 mysql php
2015-11-27 13:34

回答 3 已采纳 mysqli_real_escape_string($username) is missing a required parameter The usage of mysqli_real_esc
mysqli_real_escape_string不会插入到db中 database html mysql php
2019-03-04 10:58

回答 5 已采纳 You are wrong to pass parameters to the mysqli_real_escape_string () function before inserting the
mysqli mysql_real_escape_string_PHP mysqli_real_escape_string() 函数
2021-02-07 23:38

weixin_39719101的博客实例转义字符串中的特殊字符：$con=mysqli_connect("localhost","my_user","my_...// Check connectionif (mysqli_connect_errno($con)){echo "Failed to connect to MySQL: " . mysqli_connect_error();}mysqli_q...
如何将PHP7的$ mysqli-> real_escape_string与数组一起使用 mysql php
2016-03-07 18:37

回答 1 已采纳 You might be better off using prepared statements, but to the question, pass an array of object an
Mysqli_real_escape_string无法识别链接 php
2016-03-17 17:34

回答 2 已采纳 You call $link in your function but it is not defined in your function. You have to pass it as a
HTML表单没有将值传递给PHP（mysqli_real_escape_string） html mysql php
2015-06-15 13:45

回答 7 已采纳 Change form type="post" to method="post" Add database connection string to your mysqli_real_escap
php mysql_real_escape_string函数用法与实例教程
2021-01-20 00:35

语法mysql_real_escape_string(string,connection) 参数描述 string 必需。规定要转义的字符串。 connection 可选。规定 MySQL 连接。如果未规定，则使用上一个连接。说明本函数将 string 中的特殊字符转义...
mysqli_real_escape_string（）期望参数1为mysqli，null为null mysql php
2016-07-22 16:49

回答 3 已采纳 i think you have typo in your variable, please check your $connect => $conncet variable $c
PHP在表名中从mysql_real_escape_string更改为PDO [duplicate] mysql php sql
2014-01-24 13:15

回答 1 已采纳 You won't be able to escape the table name (I hope that $tablename isn't coming from an outside so
在数据库中保存带单引号的字符串，不带mysqli_real_escape_string [duplicate] mysql php
2015-12-31 07:13

回答 1 已采纳 Since Im seeing so many low quality comments here, here is a rough untested answer. $query = "INS
mysqli mysql_real_escape_string,警告：mysqli_real_escape_string（）期望参数1为mysqli，字符串给定...
2021-02-07 23:38

许传志的博客 I have a secured area of my site where I can add/update/delete database entries. I am trying to update the script from mysql to mysqli. Everything works except for the "update" part. When I fill in...
使用mysql_real_escape_string的速度 mysql php
2014-04-03 21:28

回答 2 已采纳 The mysql_real_escape_string() already searches the string for apostrophes and other characters, a
mysqli mysql_real_escape_string_“ mysqli_real_escape_string”是否足以避免SQL注入或其他SQL攻击？...
2021-02-07 23:38

冰炭不同炉的博客防止SQL注入的最佳方法是使用准备好的语句。它们将数据(您的参数)与指令(SQL查询字符串)分开，并且不会为数据留下任何空间污染查询的结构。准备好的语句解决了应用程序安全性的基本问题之一。对于无法使用准备好的...
不执行数据库查询 mysql_real_escape_string,使用mysqli_real_escape_string时查询不运行
2021-01-30 16:08

weixin_39599342的博客 I'm converting an old script to be compliant with MySQLi and ran in to an issue...$link = mysqli_connect("localhost", "user", "password", "database");if (mysqli_connect_errno()) {printf("Connect faile...
mysql_real_escape_string c api_mysql_real_escape_string
2021-03-03 23:48

高三垃圾的博客 } if (function_exists('mysql_real_escape_string') AND is_resource($this->conn_id)) { $str = mysql_real_escape_string($str, $this->conn_id); } elseif (function_exists('mysql_escape_string')) { $str = ...
php mysql_escape_string 替代方法,PHP_PHP函数addslashes和mysql_real_escape_string的区别，首先：不要使用mysql_escape_str...
2021-04-21 22:49

沈公子329的博客 PHP函数addslashes和mysql_real_escape_string的区别首先：不要使用mysql_escape_string，它已被弃用，请使用mysql_real_escape_string代替它。mysql_real_escape_string和addslashes的区别在于：区别一：addslashes...
php escape的用法,PHP mysqli_real_escape_string() 函数用法及示例
2021-04-26 21:51

给你一个熊猫眼的博客 PHP mysqli_real_escape_string()...定义和用法mysqli_real_escape_string()函数用来对字符串中的特殊字符进行转义，以使得这个字符串是一个合法的 SQL 语句。传入的字符串会根据当前连接的字符集进行转义，得到一...
mysql_real_escape_string 报错,使用mysql_real_escape_string（）时出错
2021-01-19 23:40

邦成为寄卖连锁的博客 my code-require 'database....$title = mysql_real_escape_string($_POST['title']); //line 48$cat = $_POST['cat'];$txtart = mysql_real_escape_string($_POST['artbody']); //line 50$date = date("d-m-y");...
没有解决我的问题, 去提问

悬赏问题

¥15 Vue3 大型图片数据拖动排序
¥15 划分vlan后不通了
¥15 GDI处理通道视频时总是带有白色锯齿
¥20 用雷电模拟器安装百达屋apk一直闪退
¥15 算能科技20240506咨询（拒绝大模型回答）
¥15 自适应 AR 模型参数估计Matlab程序
¥100 角动量包络面如何用MATLAB绘制
¥15 merge函数占用内存过大
¥15 使用EMD去噪处理RML2016数据集时候的原理
¥15 神经网络预测均方误差很小但是图像上看着差别太大

PHP和MySQL - 使用mysqli_real_escape_string的正确方法

2条回答 默认 最新

悬赏问题

2条回答默认最新