以下查询不会产生任何结果:
A)
$Part = mysql_real_escape_string($_POST['Part']);
$part_query = "SELECT title FROM tag WHERE title LIKE '$Part%'";
B)
$Part = mysql_real_escape_string(addslashes($_POST['Part']));
$part_query = "SELECT title FROM tag WHERE title LIKE '$Part%'";
虽然这样做:(编辑:这也不起作用)
C)
$Part = $_POST['Part'];
$part_query = "SELECT title FROM tag WHERE title LIKE '$Part%'";
我如何解决这个问题?我当然要逃避形式输入。
D)
这有效:
$Part = $_POST['Part'];
$Part = strip_tags($Part,"");
$Part = trim($Part);
$part_query = "SELECT title FROM tag WHERE title LIKE '$Part%'";
答案 0 :(得分:0)
看看这是否有效,如果是这样,你会得到魔法引号,至少在你知道它们已被移除的全局条带上。
<?php
// Remove magic quotes
if (get_magic_quotes_gpc()){
function stripslashes_deep($value){
$value = is_array($value)?array_map('stripslashes_deep', $value):stripslashes($value);
return $value;
}
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
// Format and prepare SQL
$Part = mysql_real_escape_string($_POST['Part']);
$part_query = "SELECT `title` FROM `tag` WHERE `title` LIKE '$Part%'";
// obviously update below for your connection
$mysqli = new mysqli('localhost', 'user', 'password', 'world');
if (mysqli_connect_errno()) {
printf("Can't connect to MySQL Server. Errorcode: %s\n", mysqli_connect_error());
exit;
}
if ($result = $mysqli->query($part_query)) {
while( $row = $result->fetch_assoc() ){
print(json_encode(($row)));
}
$result->close();
}
$mysqli->close();
答案 1 :(得分:0)
trim从字符串中删除前导和尾随空格,这是否有效:
$Part = trim($_POST['Part']);
$Part = mysql_real_escape_string($Part);
$part_query = "SELECT title FROM tag WHERE title LIKE '$Part%'";