PHP PDO警告:mysql_real_escape_string():拒绝用户访问

时间:2013-03-02 21:24:57

标签: php mysql pdo

我在类文件中使用PHP和PDO以及预处理语句。我一直收到错误:警告:mysql_real_escape_string():用户拒绝访问。当调用该方法时。我真的不知道如何解决这个问题。

以下是类文件中的方法:

public function insertReview() {
    $fk_employee = $_POST['fk_employee'];

    // Current Date returned from JQuery and formatted to add to DB.
    $cdate = $_POST['current_date'];
    $current_date = explode("/", $cdate);
      $cmonth = $current_date[0];
      $cday = $current_date[1];
      $cyear = $current_date[2];
      $current_dateA = array($cyear, $cmonth, $cday);
    $review_date = implode("-", $current_dateA);

    // Review Begin Date returned from JQuery Datepicker and formatted to add to DB.              
    $bdate = $_POST['r_period_begin'];
    $begin_date = explode("/", $bdate);
      $bmonth = $begin_date[0];
      $bday = $begin_date[1];
      $byear = $begin_date[2];
      $begin_dateA = array($byear, $bmonth, $bday);
    $r_period_begin = implode("-", $begin_dateA);

    // Review End Date returned from JQuery Datepicker and formatted to add to DB.
    $edate = $_POST['r_period_end'];
    $end_date = explode("/", $edate);
      $emonth = $end_date[0];
      $eday = $end_date[1];
      $eyear = $end_date[2];
      $end_dateA = array($eyear, $emonth, $eday);
    $r_period_end = implode("-", $end_dateA);

    // Criteria 
      $criterias = $_POST['criteria'];
      $criteriaValue = $_POST['criteriaValue'];
      $comments = $_POST['Comments'];

      foreach ($criteriaValue as $key => $value ){
          foreach( $criterias as $crit ){
              if( $crit == $key ){
                  $string1 = $key;
                  foreach( $comments as $comment => $comm ){
                      if( $string1 == $comment ){
                          $string3 = $comm;
                      }
                  }
              }
          }
          foreach ( $value as $result ){
              $string2 = $result;
          }

      $criteria .= mysql_real_escape_string( $string1 . '|' . $string2 . '|' . $string3 . '|' );
      }

    $overall_rating = $_POST['overall_rating'];
    $additional_comments = $_POST['additional_comments'];
    $goals = $_POST['goals'];

  $conn = parent::connect();
  $sql = "INSERT INTO " . TBL_EMPLOYEE_REVIEW . " (
            fk_employee,
            review_date,
            r_period_begin,
            r_period_end,
            criteria,
            overall_rating,
            additional_comments,
            goals  
          ) VALUES (
            :fk_employee,
            :review_date,
            :r_period_begin,
            :r_period_end,
            :criteria,
            :overall_rating,
            :additional_comments,
            :goals
          )";

  try {
    $st = $conn->prepare( $sql );
    $st->bindValue( ":fk_employee", $fk_employee, PDO::PARAM_STR );
    $st->bindValue( ":review_date", $review_date, PDO::PARAM_STR );
    $st->bindValue( ":r_period_begin", $r_period_begin, PDO::PARAM_STR );
    $st->bindValue( ":r_period_end", $r_period_end, PDO::PARAM_STR );
    $st->bindValue( ":criteria", quote($criteria), PDO::PARAM_STR );
    $st->bindValue( ":overall_rating", $overall_rating, PDO::PARAM_STR );
    $st->bindValue( ":additional_comments", $additional_comments, PDO::PARAM_STR );
    $st->bindValue( ":goals", $goals, PDO::PARAM_STR );

    $st->execute();
    parent::disconnect( $conn );
  } catch ( PDOException $e ) {
            echo $e->getFile();
            echo $e->getTraceAsString();
            echo "The exception was created on line: " . $e->getLine();

    die( "Query failed: " . $e->getMessage() );
  }
}

2 个答案:

答案 0 :(得分:3)

使用PDO时请勿使用mysql_real_escape_string()。 PDO类处理转义本身。

每当您使用bindValue()时,它都是为您做的。

替换此行:

$criteria .= mysql_real_escape_string( $string1 . '|' . $string2 . '|' . $string3 . '|' );

这一行:

$criteria .=  $string1 . '|' . $string2 . '|' . $string3 . '|';

答案 1 :(得分:1)

PDO和mysql_*是两个完全不同的扩展。 mysql_real_escape_string需要数据库连接才能完成工作。如果之前未使用mysql_connect建立连接,mysql_real_escape_string将在您调用时尝试使用默认凭据创建新连接。这失败了,因此出现了错误消息。

正如@Shackrock所说,如果你没有使用mysql_real_escape_string,请不要使用mysql_*。使用PDO的转义函数,更准确地说是PDO的参数化查询和绑定值。无论如何,这比手动逃避要好得多。