doupu1949 2014-11-25 09:37
浏览 219
已采纳

刚刚使用mysql真正的转义字符串[关闭]

need guidance on how this mysql real escape string works on this statement, i don't want mysqli and the pdo types. i have tried it, but it is not working, need some help about this

$UserName =mysql_real_escape_string($_POST['UserName']);
$password =mysql_real_escape_string($_POST['Password']);

            // Insert data into mysql 
            $sql1="INSERT INTO UserDetail (UserName,Password,Email_Address,Verifycode,AcoountStatus)VALUES('$UserName','$encry_pass','$email','$verify_code','Inactive')";
  • 写回答

1条回答 默认 最新

  • duana1986 2014-11-25 09:59
    关注

    it is not working … the strings like />., still can be enter in the sql database

    It is working.

    mysql_real_escape_string is a function that escapes characters which have special meaning in SQL.

    / and > do not have special meaning in SQL, so it shouldn't touch them.

    If they did have special meaning, then the point of the function is to allow them to be inserted into the database. It makes changes such as converting ' (meaning "Start or end an SQL string") to \' (meaning "An apostrophe").

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?