我试图阻止sql注入
mysql_real_escape_string($value)
这是我的代码,但似乎我得到一个空值,
$this->name_safe = mysqli_real_escape_string($this->name,$this->link);
$this->query = "INSERT INTO student (complete_name, date_birth, gender, email, student_status)
VALUES ( '$this->name_safe', '$this->date', '$this->gender', '$this->email_1', 'current')";
? THX
答案 0 :(得分:2)
您的函数参数的顺序错误。首先是DB链接,然后是要转义的字符串。
http://php.net/mysqli_real_escape_string
mysqli_real_escape_string($this->link, $this->name)