在这块代码中,我把mysqli_real_escape_string()放在哪里?PHP和MySQL表格提交
或者,如果您有更好的方式来编写整个区块,我很乐意听到。
<?php
$title = ($_POST["title"]);
$date = ($_POST["date"]);
$content = ($_POST["content"]);
$query = "INSERT INTO months (";
$query .= " title, date, content ";
$query .= ") VALUES (";
$query .= " '{$title}', '{$date}', '{$content}' ";
$query .= ")";
mysqli_query($connection, $query); ?>
这将是最好用准备好的发言。
$stmt = mysqli_prepare($connection, "INSERT INTO months (title, date, content)
VALUES(?, ?, ?)");
mysqli_stmt_bind_param($stmt, "sss", $title, $date, $content);
$title = $_POST["title"];
$date = $_POST["date"];
$content = $_POST["content"];
mysqli_stmt_execute($stmt);
当使用转义函数和字符串连接时,可能仍然存在sql注入的情况。 Prepared Statements的工作方式不同,因此它们可以防止sql注入。 https://stackoverflow.com/a/60496/3595565
试试这个:
$title = mysqli_real_escape_string($_POST["title"]);
$date = mysqli_real_escape_string($_POST["date"]);
$content = mysqli_real_escape_string($_POST["content"]);
谢谢菲利普 – benjiman