mysqli_real_string_escape失败了GET

I have a static database connection established in a file which I include as

include_once 'database.inc.php';

named $mysqli.

When I pass a parameter $tbname from a form using $tbname = $_GET['tbname'], and attempt to use $tbname = $mysqli->real_esacpe_string($tbname), it produces identical output to $tbname, including when invalid characters such as /,'" are used in the name.

Based on looking at other questions and proper usage, I cannot find a reason why the string escape should fail. It also fails if a procedural call is used to mysqli_real_escape_string($mysqli, $tbname).

When $tbname is valid and not string escaped by the function, my query

query = $mysqli->prepare("CREATE TABLE $tbname (ID INT NOT NULL AUTO_INCREMENT PRIMARY KEY)") or trigger_error($mysqli->error."[$query]");

works as intended.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dssu33392 2015-09-05 19:11
关注
There is no reason to use this function for escaping a table name, and you should never use it for such a purpose.

There is no reason in creating tables from user input, and you should never create tables on the fly, but always have solid and predefined database structure.

mysqli_real_escape_string DOES escape these symbols \'". But you should never use it. Instead, you have to use prepared statements
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

Mysqli_real_escape_string无法识别链接 php
2016-03-17 17:34

回答 2 已采纳 You call $link in your function but it is not defined in your function. You have to pass it as a
HTML表单没有将值传递给PHP（mysqli_real_escape_string） html mysql php
2015-06-15 13:45

回答 7 已采纳 Change form type="post" to method="post" Add database connection string to your mysqli_real_escap
php mysqli我应该使用real_escape_string吗？ [重复] php
2012-11-18 15:48

回答 2 已采纳 According to PHP Manual on mysqli and prepared statements: Escaping and SQL injection Bou
mysqli mysql_real_escape_string,警告：mysqli_real_escape_string（）期望参数1为mysqli，字符串给定...
2021-02-07 23:38

许传志的博客 I have a secured area of my site where I can add/update/delete database entries. I am trying to update the script from mysql to mysqli. Everything works except for the "update" part. When I fill in...
PHP在表名中从mysql_real_escape_string更改为PDO [duplicate] mysql php sql
2014-01-24 13:15

回答 1 已采纳 You won't be able to escape the table name (I hope that $tablename isn't coming from an outside so
类型'String'是一个意外的参数，期望Mysqli [mysqli_real_escape_string] [重复] mysql php
2017-02-15 13:59

回答 1 已采纳 Change your code to $xml_object = mysqli_real_escape_string($conn, $data->xml_object);
整数的filter_input和mysqli_real_escape_string php
2012-03-11 07:04

回答 2 已采纳 Like many other PHP users you are taking escaping wrong. You taking it as a some sort of magic wan
不执行数据库查询 mysql_real_escape_string,使用mysqli_real_escape_string时查询不运行
2021-01-30 16:08

weixin_39599342的博客 I'm converting an old script to be compliant with MySQLi and ran in to an issue...$link = mysqli_connect("localhost", "user", "password", "database");if (mysqli_connect_errno()) {printf("Connect faile...
mysql（i）_real_escape_string，安全可靠吗？ mysql php
2013-03-13 15:52

回答 3 已采纳 A really great day today - second good attempt to create a sensible database abstraction layer in
mysql_real_escape_string和array_map返回空字符串？ mysql php
2013-09-05 00:05

回答 3 已采纳 array_map returns new array, if you're overwriting $_POST, better solution would be to use array_w
php mysqli_insert_id（）错误 mysql php
2014-11-18 13:55

回答 1 已采纳 Try looking at the example supplied by PHP.net: <?php $mysqli = new mysqli("localhost", "my_us
mysql_real_escape_string与mysqli_real_escape_string
2019-09-27 10:39

dianai7709的博客 mysql_real_escape_string是用来转义字符的，主要是转义POST或GET的参数，防治SQL注入（防注入可参考PHP防SQL注入不要再用addslashes和mysql_real_escape_string了），但是自 PHP 5.5.0 起已废弃，并在自 ...
插入值时，mysqli_real_escape看起来不正确 mysql php sql
2014-04-13 11:57

回答 1 已采纳 remove this where word = '".$key."' from your queries of insert. you dont have to make where c
mysql_real_escape_string c api_mysql_real_escape_string
2021-03-03 23:48

高三垃圾的博客 CI中：$this->db->select('*')->where("username","skcdian")->where("password","' OR '...get("user")->result();SELECT * FROM (user) WHERE username = ‘skcdian’ AND password = ‘\’ OR \’...
mysql_real_escape_string php_PHP之mysql_real_escape_string()函数讲解
2021-01-18 18:55

愚然自得的博客例子例子 1$con = mysql_connect("localhost", "hello", "321");if (!...}// 获得用户名和密码的代码// 转义用户名和密码，以便在 SQL 中使用$user = mysql_real_escape_string($user);$pwd = mysql...
mysql_real_escape_string 不支持_mysql_real_escape_string总是返回false
2021-01-21 13:23

13338383381的博客总所周知，mysql_real_escape_string函数的作用是：转义SQL语句中使用的字符串中的特殊字符，并考虑到连接的当前字符集。并且mysql_real_escape_string()并不转义%和_。但是，如果按照手册的例子来写代码，总是返回...
php mysql_escape_string 替代方法,PHP_PHP函数addslashes和mysql_real_escape_string的区别，首先：不要使用mysql_escape_str...
2021-04-21 22:49

沈公子329的博客 PHP函数addslashes和mysql_real_escape_string的区别首先：不要使用mysql_escape_string，它已被弃用，请使用mysql_real_escape_string代替它。mysql_real_escape_string和addslashes的区别在于：区别一：addslashes...
php mysql_escape_string 替代方法,关于mysql：mysql_real_escape_string的安全替代品吗？ (PHP)...
2021-04-21 22:49

4564344的博客我正在将变量传递给执行查询的函数MySQL连接仅在函数内部发生，并在函数内部关闭我希望能够在将字符串发送给函数之前安全地转义字符串我无法使用mysql_real_escape_string，因为它需要MySQL连接(仅在函数内部进行)我...
mysql escape 函数_mysql_real_escape_string（）函数的作用
2021-01-19 00:57

隅隅隅的博客相关函数:get_magic_quotes_gpc()在PHP5.4中已被丢弃mysql_real_escape_string()说明这个函数在PHP5.5中不建议使用,在将来的版本中将会被丢弃,建议使用:mysql_real_escape_string()函数的作用：防止SQL Injection...
没有解决我的问题, 去提问

悬赏问题

¥20 求个正点原子stm32f407开发版的贪吃蛇游戏
¥15 正弦信号发生器串并联电路电阻无法保持同步怎么办
¥15 划分vlan后，链路不通了？
¥20 求各位懂行的人，注册表能不能看到usb使用得具体信息，干了什么，传输了什么数据
¥15 个人网站被恶意大量访问，怎么办
¥15 Vue3 大型图片数据拖动排序
¥15 Centos / PETGEM
¥15 划分vlan后不通了
¥20 用雷电模拟器安装百达屋apk一直闪退
¥15 算能科技20240506咨询（拒绝大模型回答）

mysqli_real_string_escape失败了GET

1条回答 默认 最新

悬赏问题

1条回答默认最新