我有一个PHP脚本,有一些输入和应用 $owner = mysqli_real_escape_string($conn,$_POST['owner']);
$purpose = mysqli_real_escape_string($conn,$_POST['purpose']);
$type = mysqli_real_escape_string($conn,$_POST['type']);
$city = mysqli_real_escape_string($conn,$_POST['city']);
$location = mysqli_real_escape_string($conn,$_POST['location']);
$description = mysqli_real_escape_string($conn,$_POST['description']);
$price = floatval($_POST['price']);
$land_area = floatval($_POST['area']);
$bedrooms = intval($_POST['bedrooms']);
$bathrooms = intval($_POST['bathrooms']);
$expire = mysqli_real_escape_string($conn,$_POST['expire']);
功能来过滤..如下所示
$query = "INSERT INTO add_property SET owner='".$owner."',purpose='".$purpose."', property_type='".$type."',city='".$city."',location='".$location."',description='".$description."',price='".$price."',land_area='".$land_area."',bedrooms='".$bedrooms."',bathrooms='".$bathrooms."',property_expire='".$expire."',image_url='".$targetfile."'";
$result = mysqli_query($conn,$query) or die(mysqli_error());
及以下是插入查询
{{1}}
问题 它会转换字符串并添加一个slach if(')等,如果找到它就像&ab;它将它转换为\' abc但不保存到数据库... 它保存到数据库,就像..' abc
答案 0 :(得分:1)
它将转义字符串以使其保持有效的SQL查询,而不是将转义版本存储在数据库中。