我有以下代码:
$username = $_SESSION['username'];
$query = ("SELECT id FROM users WHERE username = '$username'");
$result = mysql_query($query) or die (mysql_error());
$row = mysql_fetch_row($result);
$user_id = $row[0];
我应该在哪里应用mysql_real_escape_string?
$user_id = mysql_real_escape_string($row[0]);会有效吗?
我知道MySQL应该留在过去。我很快就会转到MySQLi。
答案 0 :(得分:0)
在第一行执行此操作:
$username = mysql_real_escape_string($_SESSION['username']);
并将查询更改为:
$query = ("SELECT id FROM users WHERE username = '".$username."'");