最近,我在插入某些字符串时遇到INSERT INTO无法正常工作的问题。我发现原因是包含撇号的字符串,这些撇号会弄乱我的代码。要解决这个问题,我一直在尝试使用mysql_real_escape_string(),但它不会做任何事情。我读到它应该在每个"危险"之前插入\特殊字符,但是当我回显mysql_real_escape_string()的结果时,它会向我显示前后相同的字符串,没有\ s。
我该如何解决?
这是我的代码......
<?php
include "connect.php"; //connect.php connects to the database.
mysql_real_escape_string($_POST['username']);
mysql_real_escape_string($_POST['password']);
mysql_real_escape_string($_POST['sdNamer']);
mysql_real_escape_string($_POST['sdTrunk']);
//$_POST['username'] and the rest is the data entered by the user.
$username = $_POST['username'];
$password = $_POST['password'];
$sdName = $_POST['sdNamer'];
$sdTrunkest = $_POST['sdTrunk'];
$sql = "INSERT INTO users (username, password, user_bio, starterDeck, Trunk) VALUES ('$username', '$password', 'User', '$sdName', '$sdTrunkest')";
//INSERT INTO won't work, because $sdTrunkest has string that contains an apostrophe, and mysql_real_escape_string isn't doing anything about it.
mysql_query($sql);
exit("result_message=Success");
?>
答案 0 :(得分:10)
mysql_real_escape_string()返回修改后的字符串,但您没有对该字符串执行任何操作。您实际上未使用 mysql_real_escape_string()。使用返回的值而不是原始的未修改值:
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
// etc...
另外,作为旁注,您的代码还有两个更严重的问题:
mysql_*功能。更新您的代码。 (阅读简介here开始。)