允许字段包含单引号

时间:2015-09-03 19:23:08

标签: php mysqli

// www.w3schools.com/php/func_mysqli_real_escape_string.asp
$finding = mysqli_real_escape_string($connection, $_POST['finding']);
$observation = mysqli_real_escape_string($connection, $_POST['observation']);
$severity = mysqli_real_escape_string($connection, $_POST['severity']);
$remediation = mysqli_real_escape_string($connection, $_POST['remediation']);
$see_also = mysqli_real_escape_string($connection, $_POST['see_also']);

$query = "INSERT INTO findings (modified, type, finding, observation, severity, remediation, see_also) VALUES (now(), '$_POST[type]', '$finding', '$observation', '$severity', '$remediation', '$see_also')";
$result = mysqli_query($connection, $query);
confirm_query($result);

观察字段中允许的示例文本: 网络服务器的主页容易受到攻击。

1 个答案:

答案 0 :(得分:-3)

 $query = "INSERT INTO findings (modified, type, finding, observation, severity, remediation, see_also) VALUES (now(), '".mysqli_real_escape_string($connection, $_POST['type'])."', '".$finding."', '".$observation."', '".$severity."', '".$remediation."', '".$see_also."')";