douyin8813 2013-06-10 23:20
浏览 50

mysql_real_escape_string不允许字符串通过

I'm trying to sanitize a string going into my database. But with the code below, I don't get the update to my db.

First page posts this in an input form:

$note="Here is some example text";

Receiving page:

$note = $_POST['note'];
$note = mysql_real_escape_string($note);
$sql="UPDATE some_table SET notes='$note' WHERE id='$some_id'";
$result=mysql_query($sql);

When I take out the mysql_real_escape_string line it works, but not with it in there. What am I missing?

Thanks!

  • 写回答

1条回答 默认 最新

  • dongmu5246 2013-06-10 23:31
    关注

    I strongly recommend using Prepared Statement, mysql_real_escape_string() won't full protect you from SQL Injection.

    Example for your update:

    <?php
// connection
$conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass);

// query
$sql = "UPDATE some_table 
        SET notes=? 
        WHERE id=?";
$q = $conn->prepare($sql);
$q->execute(array($$_POST['note'], $some_id));
?>

    More details: http://www.php.net/manual/en/intro.pdo.php

    评论

报告相同问题?

悬赏问题

  • ¥20 西门子S7-Graph,S7-300,梯形图
  • ¥50 用易语言http 访问不了网页
  • ¥50 safari浏览器fetch提交数据后数据丢失问题
  • ¥15 matlab不知道怎么改,求解答!!
  • ¥15 永磁直线电机的电流环pi调不出来
  • ¥15 用stata实现聚类的代码
  • ¥15 请问paddlehub能支持移动端开发吗?在Android studio上该如何部署?
  • ¥20 docker里部署springboot项目,访问不到扬声器
  • ¥15 netty整合springboot之后自动重连失效
  • ¥15 悬赏!微信开发者工具报错,求帮改