mysqli_real_escape_string是否足以阻止SQL注入？ [重复]

This question already has an answer here:

How can I prevent SQL injection in PHP? 28 answers
SQL injection that gets around mysql_real_escape_string() 4 answers

I have the following php script to insert a form user input data into the database. Is mysqli_real_escape_string enough to prevent SQL injection if I don't wish to use prepared statements to bind parameters to "?" placeholder?

   <?php
   $link = mysqli_connect("localhost", "root", "", "bizcontact");

   $name = mysqli_real_escape_string($link, $_POST['name']);
   $company = mysqli_real_escape_string($link, $_POST['company']);
   $position = mysqli_real_escape_string($link, $_POST['position']);
   $contact = mysqli_real_escape_string($link, $_POST['contact']);
   $email = mysqli_real_escape_string($link, $_POST['email']);
   $gender = mysqli_real_escape_string($link, $_POST['gender']);

   /* check connection */
   if (mysqli_connect_errno()) {
   printf("Connect failed: %s
", mysqli_connect_error());
   exit();
   }

   $sql = "INSERT INTO businesscontact(name, company, position, phone,  email, gender) VALUES('$name', '$company', '$position', '$contact', '$email',  '$gender')";
   if (mysqli_query($link, $sql)){
   echo "success";
   }else{
   echo(mysqli_error($link));
   };

   /* close connection */
   mysqli_close($link);
   ?>

UPDATE

    $stmt = $link->prepare("INSERT INTO businesscontact(name, company, position, phone, email, gender) VALUES(?,?,?,?,?,?)");
    $stmt-> bind_param("ssssss", $name, $company, $position, $contact,  $email, $gender);
    if($stmt->execute()){
    echo "success";
   }else{
    echo(mysqli_error($link));
   }

</div>

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

报告相同问题？

关注问题

mysqli_real_escape_string不会插入到db中 database html mysql php
2019-03-04 10:58

回答 5 已采纳 You are wrong to pass parameters to the mysqli_real_escape_string () function before inserting the
mysqli_real_escape_string（）警告此代码[关闭] php
2015-10-02 09:32

回答 1 已采纳 Your parameters are in the wrong order, read the documentation again. For example: $username = my
mysqli_real_escape_string（）返回空字符串 mysql php
2015-11-27 13:34

回答 3 已采纳 mysqli_real_escape_string($username) is missing a required parameter The usage of mysqli_real_esc
mysqli mysql_real_escape_string_“ mysqli_real_escape_string”是否足以避免SQL注入或其他SQL攻击？...
2021-02-07 23:38

冰炭不同炉的博客小编典典有人可以告诉我它是否安全或是否容易受到SQL Injection攻击或其他SQL攻击吗？防止SQL注入的最佳方法是使用准备好的语句。它们将数据(您的参数)与指令(SQL查询字符串)分开，并且不会为数据留下任何空间污染...
php mysqli我应该使用real_escape_string吗？ [重复] php
2012-11-18 15:48

回答 2 已采纳 According to PHP Manual on mysqli and prepared statements: Escaping and SQL injection Bou
您是否需要将mysqli_real_escape_string用于加密值？ php sql
2013-11-24 13:37

回答 1 已采纳 You don't need to, you can either restrict your input field of password to allow/accept what combi
Mysqli_real_escape_string无法识别链接 php
2016-03-17 17:34

回答 2 已采纳 You call $link in your function but it is not defined in your function. You have to pass it as a
PHP防止SQL注入的方法：addslashes和mysqli_real_escape_string的区别
2023-09-28 20:24

MdlForward的博客为了避免恶意用户通过注入恶意SQL代码来破坏数据库或获取敏感信息，开发人员需要对用户输入的数据进行适当的过滤和转义。在PHP中，有两个常用的函数用于转义字符串，分别是。函数是PHP中最简单的字符串转义函数之一...
在数据库中保存带单引号的字符串，不带mysqli_real_escape_string [duplicate] mysql php
2015-12-31 07:13

回答 1 已采纳 Since Im seeing so many low quality comments here, here is a rough untested answer. $query = "INS
类型'String'是一个意外的参数，期望Mysqli [mysqli_real_escape_string] [重复] mysql php
2017-02-15 13:59

回答 1 已采纳 Change your code to $xml_object = mysqli_real_escape_string($conn, $data->xml_object);
mysqli_real_escape_string无效[关闭] mysql php
2014-08-20 12:13

回答 2 已采纳 you are using $ sign before function mysqli_real_escape_string make it $username = mysqli_real_e
mysql_real_escape_string 注入_围绕mysql_real_escape_string（）的SQL注入
2021-01-19 12:03

weixin_39862985的博客沧海一幻觉简短的回答是肯定的，是的，有办法绕行mysql_real_escape_string()。对于非常糟糕的边缘案例!!!答案很长并不容易。它基于此处演示的攻击。攻击那么，让我们从展示攻击开始......mysql_query('SETNAMESgbk'...
PHP在表名中从mysql_real_escape_string更改为PDO [duplicate] mysql php sql
2014-01-24 13:15

回答 1 已采纳 You won't be able to escape the table name (I hope that $tablename isn't coming from an outside so
mysqli mysql_real_escape_string,警告：mysqli_real_escape_string（）期望参数1为mysqli，字符串给定...
2021-02-07 23:38

许传志的博客 I have a secured area of my site where I can add/update/delete database entries. I am trying to update the script from mysql to mysqli. Everything works except for the "update" part. When I fill in...
php escape的用法,PHP mysqli_real_escape_string() 函数用法及示例
2021-04-26 21:51

给你一个熊猫眼的博客 PHP mysqli_real_escape_string() 函数用法及示例mysqli_real_escape_string()函数根据当前连接的字符集，对于 SQL 语句中的特殊字符进行转义。定义和用法mysqli_real_escape_string()函数用来对字符串中的特殊字符...
php mysql_real_escape_string函数用法与实例教程
2021-01-20 00:35

语法mysql_real_escape_string(string,connection) 参数描述 string 必需。规定要转义的字符串。 connection 可选。规定 MySQL 连接。如果未规定，则使用上一个连接。说明本函数将 string 中的特殊字符转义...
不执行数据库查询 mysql_real_escape_string,使用mysqli_real_escape_string时查询不运行
2021-01-30 16:08

weixin_39599342的博客 I'm converting an old script to be compliant with MySQLi and ran in to an issue...$link = mysqli_connect("localhost", "user", "password", "database");if (mysqli_connect_errno()) {printf("Connect faile...
sqlilabs关于mysqli_real_escape_string函数报错的问题解决。
2022-08-30 11:28

snowman12138的博客 sqlilabs关于mysqli_real_escape_string函数报错的问题解决。
mysqli mysql_real_escape_string_PHP mysqli_real_escape_string() 函数
2021-01-27 10:23

王高乒的博客转义字符串中的特殊字符：// 假定数据库用户名：root，密码：123456，数据库：VOIDME$con=mysqli_connect(...if (mysqli_connect_errno($con)){echo "连接 MySQL 失败: " . mysqli_connect_error();}mysqli_query($...
没有解决我的问题, 去提问

悬赏问题

¥15 shape_predictor_68_face_landmarks.dat
¥15 slam rangenet++配置
¥15 有没有研究水声通信方面的帮我改俩matlab代码
¥15 对于相关问题的求解与代码
¥15 ubuntu子系统密码忘记
¥15 信号傅里叶变换在matlab上遇到的小问题请求帮助
¥15 保护模式-系统加载-段寄存器
¥15 电脑桌面设定一个区域禁止鼠标操作
¥15 求NPF226060磁芯的详细资料
¥15 使用R语言marginaleffects包进行边际效应图绘制

码龄粉丝数原力等级 --

mysqli_real_escape_string是否足以阻止SQL注入？ [重复]

0条回答默认最新

悬赏问题

mysqli_real_escape_string是否足以阻止SQL注入？ [重复]

0条回答 默认 最新

悬赏问题

0条回答默认最新