我一直在研究mysqli_real_escape_string(),但我并不真正理解如何在我的案例中正确使用它来帮助防止SQLInjection,使用下面的代码,有人可以帮我纠正这个?我感谢所有的帮助。这里关于sql注入和php的其他问题没有真正回答我的问题,在我的格式中使用正确的语法用法,当我使用它时:
"$city = mysqli_real_escape_string($_POST['City']);
我得到了我的通用搜索,无论输入什么是'%$ city%'或'%$ business%'
<?php
$con = mysqli_connect(........);
// Check connection
if (mysqli_connect_errno())
{
echo "<option>Failed to connect to the Database</option>" ;
}
$city = mysqli_real_escape_string($con, $_POST['City']);
$business = mysqli_real_escape_string($con, $_POST['Business']);
$result = mysqli_query($con,"SELECT * FROM Business WHERE City LIKE '%$city%' AND BName LIKE '%$business%' ORDER BY City, BName ASC");
while($row = mysqli_fetch_array($result))
{
// do stuff here
}
// No other results
echo "<center>No other listings like $city or $business</center>";
// Free result set
mysqli_free_result($result);
mysqli_close($con);
?>
答案 0 :(得分:2)
您必须使用mysqli_real_escape_string
代替mysql_real_escape_string
,因为您使用的是mysqli_*
个功能。
string mysqli_real_escape_string(mysqli $ link,string $ escapestr)
您必须将转义序列重写为
$city = mysqli_real_escape_string ($con, $_POST['City']);
$business = mysqli_real_escape_string ($con, $_POST['Business']);
并且阻止sql injection
使用prepaid statements
。