mysqli_real_escape_string使空字符串

时间:2014-03-02 02:13:20

标签: php mysql sql pdo

我有这个脚本。

<?php  
session_start();
if (!isset($_POST['text']) || $_POST['text'] == "" || strlen($_POST['text']) < 5) {
echo "error";
echo '<meta http-equiv="refresh" content="2;url=../prispevky/add.php">';
return 0;}
else $text = $_POST['text'];

if (!isset ($_SESSION['nick'])) {
echo "error";
echo '<meta http-equiv="refresh" content="2;url=../error.php">';
return 0;}
else $nick = $_SESSION['nick'];

$time = time();

$farby = array("red","blue","green", "brown", "orange", "purple", "grey", "lime", "yellow", "pink");
include_once "../inkludy/conect.php";
$new = $_POST['text'];
echo $new;
$new = mysqli_real_escape_string($_POST['text']);
echo $new;

$new = str_replace(array("\\r\\n", "\n"), "</br>", $new);
for ($i=0;$i<10;$i++){
if (preg_match ('/&lt; .{1,10} &gt;/', $new, $meno)){
    $nove_meno = preg_replace('/(&lt; )|( &gt;)/', '', $meno[0]);
    $new = preg_replace('/' . $meno[0] . '/', '<b style="color:' . $farby[$i] . '">>' . $nove_meno . '<</b>', $new);
}
}

    try {
    $query = "INSERT INTO hlasky (autor,text,onoff,time) VALUES (:nick,:new,:onoff,:time)";
    $stmt = $conn->prepare($query);
    $stmt->bindValue(':nick', $nick, PDO::PARAM_STR);
    $stmt->bindValue(':new', $new, PDO::PARAM_STR);
    $stmt->bindValue(':onoff', '1', PDO::PARAM_INT);
    $stmt->bindValue(':time', $time, PDO::PARAM_INT);
    $stmt->execute();}

catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();}
?>
<meta http-equiv="refresh" content="10;url=../hmenu/najn.php">

$ _ POST =“asdasd”和

$new = $_POST['text'];
echo $new;

工作正常,但回声除了

$new = mysqli_real_escape_string($_POST['text']);
echo $new;

让$ new为空。大家都认为我没有mysql连接,但我有和

INSERT INTO hlasky (autor,text,onoff,time) VALUES (:nick,:new,:onoff,:time) 

也可以,但是:新的是空的 你能不能帮我解决$ new string的问题?

这是我的连接脚本包含在include_once“../ inkludy / conect.php”;

<?php
$server = "localhost";
$username = "";
$password = "";
$databaza_meno = "iz";

$dsn = "mysql:unix_socket=/tmp/mysql50.sock;dbname=$databaza_meno";
$conn = new PDO($dsn, $username, $password);

$db_spojenie = mysql_connect($server, $username, $password);
$db = mysql_select_db($databaza_meno, $db_spojenie);
mysql_query("SET NAMES utf-8");
?>

2 个答案:

答案 0 :(得分:0)

解决方案是删除mysqli_real_escape_string并仅使用PDO,因为预处理语句提供了自动转义。

答案 1 :(得分:-4)

我认为您在调用mysqli_real_escape_string时需要指定一个链接。我不经常使用PDO,但我相信由于你的链接$conn在PDO中,如果你想使用以mysqli开头的任何函数,你需要使用mysqli_connect指定一个新链接。

mysqli_real_escape_string的文档位于:http://us2.php.net/manual/en/mysqli.real-escape-string.php