当mysqli_real_escape_string不工作时,没有这个的其他解决方案是什么?

时间:2014-11-14 06:48:39

标签: php mysql mysqli

这是我的代码:

if(isset($_POST['doSEARCH'])){
    $mysqli->query("SELECT * FROM data WHERE title = '$search'");
}
?>
<form action="" method="post">
    <input type="text" name="search" />
    <input type="submit" value="SAVE" name="doSEARCH" id="doSEARCH" />
</form>

1问:我可以在不使用mysqli_real_escape_string的情况下使用此方法吗?这样安全吗?

$search = filter_input(INPUT_POST, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
if(preg_match("/[^a-z0-9 ,.]/i",$search)){
    header('Location: 500error.html'); 
    exit();
}

2问:还有其他任何短期解决方案吗? (不使用mysqli_real_escape_string

谢谢你!

1 个答案:

答案 0 :(得分:1)

你可以使用

$mysqli = new mysqli("host", "userName", "my_password", "d_name");

if(isset($_POST['doSEARCH'])){
$search = mysqli_real_escape_string($mysqli,$_POST['search']);
$mysqli->query("SELECT * FROM data WHERE title = '$search'");
}


$query = sprintf("SELECT * FROM data WHERE title = '%s'",mysql_real_escape_string($_POST['search']));
相关问题
最新问题