我正在使用mysqli_real_escape_string()函数来防止SQl注入。我的代码
<?php
// open a connection
$dhost = 'localhost';
$duser = 'user';
$dpw = 'pass';
$dname = 'db_name';
$connection = mysqli_connect($dhost, $duser, $dpw, $dname);
// test the connection
if(mysqli_connect_errno()){
die('Something went wrong with the database<br><br> '
. mysqli_connect_error() . ':'
. mysqli_connect_errno());
}
$query = "Isn't it nice that we don't have to escape ' characters all by ourselves?";
echo $query.'<br>';
$escaped = mysqli_real_escape_string($connection , $query);
echo $escaped.'<br>';
mysqli_query($connection,"INSERT into emp (name) VALUES ('$escaped')");
mysqli_close($connection);
?>
当我打印$ escaped变量时,它给出如下输出:
我们不必自己逃脱\'字符不是很好吗?
但是当我看到数据库字段时,我发现了这一点:
我们不必自己逃脱'个字符,这很好吗?