我知道之前可能会问过这个问题,但我正在尝试保护我的搜索字段并从MySQL注入中删除,并且无法将mysql_real_escape_string集成到我的PHP中。我目前通过2个下拉列表中的关键字或用户输入引用的自由格式输入来过滤搜索结果。我在下面评论了我试图添加转义字符串的地方,但它正在破坏我的搜索功能。任何人都可以告诉我该怎么做?谢谢你的帮助
<?php
// SEARCH FROM TEXT INPUT
mysql_select_db($database_connectInfo, $connectInfo);
if (isset($_POST['searchByRef']))
{
$searchword = $_POST['searchByRef'];
//ESCAPE STRING HERE
$searchword = mysql_real_escape_string($connectInfo, $searchword);
$query_dbname = "SELECT * FROM dbname WHERE `ref` LIKE '%".$searchword."%'";
}
else
// SEARCH FROM DROPDOWN MENUS
if (isset($_REQUEST['submit']))
{
$drop1 = $_POST['search1'];
$drop2 = $_POST['search2'];
//ESCAPE STRING HERE
$drop1 = mysql_real_escape_string($connectInfo, $drop1);
$drop2 = mysql_real_escape_string($connectInfo, $drop2);
$query_dbname = 'SELECT * FROM dbname WHERE 1=1' . ($drop1 ? ' AND `colour` LIKE "%' . $drop1 . '%"' : '') . ($drop2 ? ' AND `style` LIKE "%' . $drop2 . '%"' : ' ORDER BY id DESC');
}
else
{
$query_dbname = "SELECT * FROM dbname ORDER BY ref DESC";
}
$dbname = mysql_query($query_dbname, $connectInfo) or die(mysql_error());
$row_dbname = mysql_fetch_assoc($dbname);
$totalRows_all = mysql_num_rows($dbname);
?>
答案 0 :(得分:0)
不要使用mysql_escape_string ..而是将mysqli或PDO用于预处理语句。
http://www.php.net/manual/en/book.pdo.php
有关WHY的详细信息,请参阅: