我在类文件中使用PHP和PDO以及预处理语句。我一直收到错误:警告:mysql_real_escape_string():用户拒绝访问。当调用该方法时。我真的不知道如何解决这个问题。
以下是类文件中的方法:
public function insertReview() {
$fk_employee = $_POST['fk_employee'];
// Current Date returned from JQuery and formatted to add to DB.
$cdate = $_POST['current_date'];
$current_date = explode("/", $cdate);
$cmonth = $current_date[0];
$cday = $current_date[1];
$cyear = $current_date[2];
$current_dateA = array($cyear, $cmonth, $cday);
$review_date = implode("-", $current_dateA);
// Review Begin Date returned from JQuery Datepicker and formatted to add to DB.
$bdate = $_POST['r_period_begin'];
$begin_date = explode("/", $bdate);
$bmonth = $begin_date[0];
$bday = $begin_date[1];
$byear = $begin_date[2];
$begin_dateA = array($byear, $bmonth, $bday);
$r_period_begin = implode("-", $begin_dateA);
// Review End Date returned from JQuery Datepicker and formatted to add to DB.
$edate = $_POST['r_period_end'];
$end_date = explode("/", $edate);
$emonth = $end_date[0];
$eday = $end_date[1];
$eyear = $end_date[2];
$end_dateA = array($eyear, $emonth, $eday);
$r_period_end = implode("-", $end_dateA);
// Criteria
$criterias = $_POST['criteria'];
$criteriaValue = $_POST['criteriaValue'];
$comments = $_POST['Comments'];
foreach ($criteriaValue as $key => $value ){
foreach( $criterias as $crit ){
if( $crit == $key ){
$string1 = $key;
foreach( $comments as $comment => $comm ){
if( $string1 == $comment ){
$string3 = $comm;
}
}
}
}
foreach ( $value as $result ){
$string2 = $result;
}
$criteria .= mysql_real_escape_string( $string1 . '|' . $string2 . '|' . $string3 . '|' );
}
$overall_rating = $_POST['overall_rating'];
$additional_comments = $_POST['additional_comments'];
$goals = $_POST['goals'];
$conn = parent::connect();
$sql = "INSERT INTO " . TBL_EMPLOYEE_REVIEW . " (
fk_employee,
review_date,
r_period_begin,
r_period_end,
criteria,
overall_rating,
additional_comments,
goals
) VALUES (
:fk_employee,
:review_date,
:r_period_begin,
:r_period_end,
:criteria,
:overall_rating,
:additional_comments,
:goals
)";
try {
$st = $conn->prepare( $sql );
$st->bindValue( ":fk_employee", $fk_employee, PDO::PARAM_STR );
$st->bindValue( ":review_date", $review_date, PDO::PARAM_STR );
$st->bindValue( ":r_period_begin", $r_period_begin, PDO::PARAM_STR );
$st->bindValue( ":r_period_end", $r_period_end, PDO::PARAM_STR );
$st->bindValue( ":criteria", quote($criteria), PDO::PARAM_STR );
$st->bindValue( ":overall_rating", $overall_rating, PDO::PARAM_STR );
$st->bindValue( ":additional_comments", $additional_comments, PDO::PARAM_STR );
$st->bindValue( ":goals", $goals, PDO::PARAM_STR );
$st->execute();
parent::disconnect( $conn );
} catch ( PDOException $e ) {
echo $e->getFile();
echo $e->getTraceAsString();
echo "The exception was created on line: " . $e->getLine();
die( "Query failed: " . $e->getMessage() );
}
}
答案 0 :(得分:3)
使用PDO时请勿使用mysql_real_escape_string()
。 PDO类处理转义本身。
每当您使用bindValue()
时,它都是为您做的。
替换此行:
$criteria .= mysql_real_escape_string( $string1 . '|' . $string2 . '|' . $string3 . '|' );
这一行:
$criteria .= $string1 . '|' . $string2 . '|' . $string3 . '|';
答案 1 :(得分:1)
PDO和mysql_*
是两个完全不同的扩展。 mysql_real_escape_string
需要数据库连接才能完成工作。如果之前未使用mysql_connect
建立连接,mysql_real_escape_string
将在您调用时尝试使用默认凭据创建新连接。这失败了,因此出现了错误消息。
正如@Shackrock所说,如果你没有使用mysql_real_escape_string
,请不要使用mysql_*
。使用PDO的转义函数,更准确地说是PDO的参数化查询和绑定值。无论如何,这比手动逃避要好得多。