duanliyi5997 2013-05-14 09:21
浏览 34

使用PHP post函数时遇到了奇怪的麻烦

So, I've got some pretty basic code that I can't get to work quite right. I'm using the ezSQL class (http://justinvincent.com/ezsql), but that's working fine. Everything works fine, except when I try to use a sanitize function (get_post). I'm using two other functions, sanitizeString and sanitizeMySQL when I call the function get_post. If I just $_POST the data right to the SQL table, it works fine. It's only when I go thru the post function that it breaks. Here's the posting bit:

if (isset($_POST['username']) &&
isset($_POST['password']))
{
    $username = get_post('username');
    $password = get_post('password');
    $db->query("INSERT INTO users VALUES ('$username', '$password')");
}

Like I said, I'm using a class (that's what the $db->query stuff is about), but that's working perfectly. If I change the code to this:

if (isset($_POST['username']) &&
isset($_POST['password']))
{
    $username = $_POST['username'];
    $password = $_POST['password'];
    $db->query("INSERT INTO users VALUES ('$username', '$password')");
}

it works fine. Here are the three functions I'm using for sanitizing:

 // Sanitize Functions
function sanitizeString($var)
{
 if (get_magic_quotes_gpc()) $var = stripslashes($var);
 $var = htmlentities($var);
 $var = strip_tags($var);
 return $var;
}    

function sanitizeMySQL($var)
{
 $var = mysql_real_escape_string($var);
 $var = sanitizeString($var);
 return $var;
}    

function get_post($var) 
{
return sanitizeMySQL($_POST['$var']);
}

I've even tried just changing the get_post function to contain a mysql_real_escape_string return, and even that doesn't work. Also, I guess I should clarify what actually happens when I try to use the get_post function. It appears to create a new row in the table, but with completely empty cells. Hope you guys can shed some light on what I'm doing wrong! I'm a pretty experienced front-end developer, but I'm kinda learning the ropes with server-side stuff. Thanks :)

ninjaEdit: I found this question Are these two functions overkill for sanitization? which is definitely helpful in making my sanitize functions better, but it doesn't really help me with why mine aren't working in the first place.

  • 写回答

2条回答 默认 最新

  • douyu8187 2013-05-14 09:24
    关注

    why did you put ' around $var ?

    in the function get_post you should do return sanitizeMySQL($_POST[$var]);

    you should use prepared statement so it escapes character for you

    评论

报告相同问题?

悬赏问题

  • ¥15 marlin编译错误,如何解决?
  • ¥15 有偿四位数,节约算法和扫描算法
  • ¥15 VUE项目怎么运行,系统打不开
  • ¥50 pointpillars等目标检测算法怎么融合注意力机制
  • ¥15 关于超局变量获取查询的问题
  • ¥20 Vs code Mac系统 PHP Debug调试环境配置
  • ¥60 大一项目课,微信小程序
  • ¥15 求视频摘要youtube和ovp数据集
  • ¥15 在启动roslaunch时出现如下问题
  • ¥15 汇编语言实现加减法计算器的功能