用户提交表单数据后,我有以下操作页面。我想防止SQL注入攻击,所以我尝试使用函数mysql_real_escape_string。但是,在我插入一些数据后,例如领域名称:我哥哥的车。数据库中的数据是相同的," My Brother's Car"。它根本没有改变,或者mysql_real_escape_string被忽略了?
当我使用带有mysql_real_escape_string的echo显示变量名时,它会显示" My Brother's Car。但是,将其插入数据库时它不起作用。
<?php
$mysqli = mysqli_connect("localhost", "hecton", "ccna", "joomladb");
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
} else {
$id = mysql_real_escape_string($_POST['id']);
$name = mysql_real_escape_string($_POST['name']);
$gender = mysql_real_escape_string($_POST['gender']);
$dateofbirth = mysql_real_escape_string($_POST['dateofbirth']);
$placeofbirth = mysql_real_escape_string($_POST['placeofbirth']);
$address = mysql_real_escape_string($_POST['address']);
$schoolname = mysql_real_escape_string($_POST['schoolname']);
$qualification = mysql_real_escape_string($_POST['qualification']);
$skills1 = mysql_real_escape_string($_POST['skills1']);
$skills2 = mysql_real_escape_string($_POST['skills2']);
$awards = mysql_real_escape_string($_POST['awards']);
$Volunteer = mysql_real_escape_string($_POST['Volunteer']);
$query = " INSERT INTO j71mi_resumeinfo ( id, name, gender, dateofbirth, placeofbirth, address, schoolname, qualification, skills1, skills2, awards, Volunteer ) VALUES ( '$id', '$name', '$gender', '$dateofbirth', '$placeofbirth', '$address', '$schoolname', '$qualification', '$skills1', '$skills2', '$awards', '$Volunteer' ) ";
$result = mysqli_query($mysqli, $query);
if ($result === TRUE) {
echo "A record has been successfully inserted into the database!.";
echo "<b><h1><center>My Resume</h1></b></center>";
echo "<div style='font-size: large; font-family: sans-serif'>
<p style='color: white; background-color: black'>Personal Details</p></div>";
echo "<br>";
echo "<b>Name:</b>".($_POST['name']);
echo "<br>";
echo "<b>Gender:</b>".$_POST['gender'];
echo "<br>";
echo "<b>Date of Birth:</b>".$_POST['dateofbirth'];
echo "<br>";
echo "<b>Place of Birth:</b>".$_POST['placeofbirth'];
echo "<br>";
echo "<b>Home Address:</b>".$_POST['address'];
echo "<div style='font-size: large; font-family: sans-serif'>
<p style='color: white; background-color: black'>Educational Details</p></div>";
echo "<br>";
echo "<b>School Name:</b>".$_POST['schoolname'];
echo "<br>";
echo "<b>Qualification(s):</b>".$_POST['qualification'];
echo "<br>";
echo "<b>Skill 1:</b>".$_POST['skills1'];
echo "<br>";
if(!empty($_POST['skills2']) and isset($_POST['skills2'])){
echo "<b>Skill 2:</b>".$_POST['skills2'];
echo "<br>";
}
if(!empty($_POST['awards']) || !empty($_POST['Volunteer'])){
echo "<div style='font-size: large; font-family: sans-serif'>
<p style='color: white; background-color: black'>Other Details</p></div>";
echo "<br>";
}
if(!empty($_POST['awards']) and isset($_POST['awards'])){
echo "<b>Award(s):</b>".$_POST['awards'];
echo "<br>";
}
if(!empty($_POST['Volunteer']) and isset($_POST['Volunteer'])){
echo "<b>Volunteer Activity:</b>".$_POST['Volunteer'];
echo "<br>";
}
echo "<br>";
echo "<b><h5><center>End of Resume</h5></b></center>";
} else {
printf("Could not insert record: %s\n", mysqli_error($mysqli));
}
mysqli_close($mysqli);
}
?>
答案 0 :(得分:2)
数据实际上已转义。
当您查看数据库中的数据时,它存在的事实意味着它已被转义 - 它仅被转义,因此它不被接受为查询中的字符。一旦它进入数据库,它就被视为数据的一部分。
例如,INSERT INTO table VALUES ('My brother\'s car');会将My brother's car插入数据库。由于'是MySQL中的保留字符,因此不会将其视为查询的一部分,而是数据集的一部分,即“有效”单引号而非“起始值部分”字符。
注意:在使用mysql_real_escape_string功能时不要使用mysqli_。 It has its own equivalent