duan1396 2013-04-03 10:23 采纳率: 0%
浏览 31

使用mysqli_real_escape_string在MySqli中清理我的数据

I am converting my functions over from mysql to mysqli. In mysql I use a general function that I can parse data into to remove SQL threats. I have tried using this method in mysqli however any data that goes through it, doesn't come back out. If I var_dump the string I get the result 

string(0) ""

This is my function

function sanitize($data) { 
return htmlentities(strip_tags(mysqli_real_escape_string($data))); 
}
  • 写回答

2条回答 默认 最新

  • douqu8828 2013-04-03 10:27
    关注

    You don't really need to use myslqi_real_escape_string().

    Instead, just use prepared statements (look for examples in this PHP documentation page), and you will be just fine.

    In addition to protecting from bad data, prepared statements also may work faster, especially for repeated data.

    评论

报告相同问题?