1. 首页
  2. 问答
  3. mysqli_real_escape_string()不正常

mysqli_real_escape_string()不正常

2013-11-05 39 views
0

我有以下PHP函数:mysqli_real_escape_string()不正常

public function signup() { 
     $mysql = mysqli_connect(HOSTNAME, USERNAME, PASSWORD, DATABASE); 
     if (mysqli_connect_errno($mysql)) { 
      $this->viewModel->set("pageTitle", "Signup"); 
      $this->viewModel->set("message", "There was an error connecting to the server."); 
      return $this->viewModel; 
     } 
     if ($result = $mysql->query("SELECT id FROM mailinglist WHERE email='" . $this->email . "';")) { 
      if ($result->num_rows == 0) { 
       $mysql->query("INSERT INTO mailinglist (email) VALUES ('" . $this->email . "');"); 
       $this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . "."); 
      } else { 
       $this->viewModel->set("message", "You are already signed up for updates!"); 
      } 
     } else { 
      $this->viewModel->set("message", "There was an error adding you the mailing list."); 
     } 
     $this->viewModel->set("pageTitle", "Signup"); 
     return $this->viewModel; 
    }

然而,运行良好,准确地返回我想要的东西,如果我尝试使用mysqli_real_escape_string()我提出的质疑,它不起作用。即,以下代码

 
public function signup() { 
     $mysql = mysqli_connect(HOSTNAME, USERNAME, PASSWORD, DATABASE); 
     if (mysqli_connect_errno($mysql)) { 
      $this->viewModel->set("pageTitle", "Signup"); 
      $this->viewModel->set("message", "There was an error connecting to the server."); 
      return $this->viewModel; 
     } 
     $query = $mysql->real_escape_string("SELECT id FROM mailinglist WHERE email='" . $this->email . "';"); 
     if ($result = $mysql->query($query)) { 
      if ($result->num_rows == 0) { 
       $query = $mysql->real_escape_string("INSERT INTO mailinglist (email) VALUES ('" . $this->email . "');"); 
       $mysql->query($query); 
       $this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . "."); 
      } else { 
       $this->viewModel->set("message", "You are already signed up for updates!"); 
      } 
     } else { 
      $this->viewModel->set("message", "There was an error adding you the mailing list."); 
     } 
     $this->viewModel->set("pageTitle", "Signup"); 
     return $this->viewModel; 
    }

不起作用。这不是连接问题,我尝试使用mysqli_real_escape_string()而不是$ mysql-> real_escape_string(),但它们都不起作用。任何人都可以看到这段代码有什么问题吗?

来源

2013-11-05 kaiserphellos

+10

'real_escape_string'查询中使用逃逸数据;它不会奇迹般地呈现您已经将任意输入引入安全的查询。但是它的作用并不重要,因为你使用的是MySQLi,你可以使用并应该使用准备好的语句。 – Ryan

+0

是否有任何PHP错误? – Machavity

回答

-1

您必须转义数据而不是整个查询。

public function signup() { 
     $mysql = mysqli_connect(HOSTNAME, USERNAME, PASSWORD, DATABASE); 
     if (mysqli_connect_errno($mysql)) { 
      $this->viewModel->set("pageTitle", "Signup"); 
      $this->viewModel->set("message", "There was an error connecting to the server."); 
      return $this->viewModel; 
     } 
     $query = "SELECT id FROM mailinglist WHERE email='" .$mysql->real_escape_string($this->email). "'" 
     if ($result = $mysql->query($query)) { 
      if ($result->num_rows == 0) { 
       $query = "INSERT INTO mailinglist (email) VALUES ('" . $mysql->real_escape_string($this->email) . "')"; 
       $mysql->query($query); 
       $this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . "."); 
      } else { 
       $this->viewModel->set("message", "You are already signed up for updates!"); 
      } 
     } else { 
      $this->viewModel->set("message", "There was an error adding you the mailing list."); 
     } 
     $this->viewModel->set("pageTitle", "Signup"); 
     return $this->viewModel; 
    }

来源

2013-11-05 04:01:30

+0

这整个答案是错误的。因为你不应该逃避“数据”。 –

1

不要这样做,请使用预准备语句。他们更安全,更可靠。您仍然需要清理数据以获得适当的价值和跨站点脚本,以列出您仍然会遇到的一些风险。转义您的数据是防止SQL注入的一种方式,但并不完全证明。准备好的语句告诉数据库服务器假定传入的数据不安全并且只接受它,并且不像串联的字符串那样处理它。数据库接受你的参数,就像它们是一个语句的变量,而不是语句的一部分。

这里是你如何改变你是准备好的语句:

$stmt=$mysql->prepare("SELECT id FROM mailinglist WHERE email=?"); 
$stmt->bind_param('s',$this->email); 
$result=$stmt->execute(); 
if ($result) { 
    if ($result->num_rows == 0) { 
     $stmt=$mysql->prepare("INSERT INTO mailinglist (email) VALUES (?)"); 
     $stmt->bind_param('s', $this->email); 
     $stmt->execute(); 
     $this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . "."); 
    } else { 
     $this->viewModel->set("message", "You are already signed up for updates!"); 
    } 
} else { 
    $this->viewModel->set("message", "There was an error adding you the mailing list."); 

}

来源

2013-11-05 04:31:30 Snowburnt

相关问题

 相关问题