我如何使用mysql真正的转义字符串? [英] how do I use mysql real escape string?
本文介绍了我如何使用mysql真正的转义字符串?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
这里的代码仍然不完整,因为我仍然要问你们关于使用mysql转义字符串的正确格式/语法.我仍然是php的初学者,我想学习如何避免sql注入.下面的代码正确吗?
The code here is still incomplete because I'm still going to ask you guys on what the proper format/syntax of using mysql escape string. Im still a beginner in php and I want to learn how to avoid sql injections. Is the code below correct?
$con = mysql_connect("localhost","root","mypwd");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("Hospital", $con);
$sqlque="INSERT INTO t2 (HOSPNUM, ROOMNUM, ADATE, ADTIME, LASTNAME, FIRSTNAME, MIDNAME, CSTAT, AGE, BDAY, ADDRESS, TELNUM, SEX, STAT, STAT2, STAT3, STAT4, STAT5, STAT6, STAT7, STAT8, NURSE)
VALUES ('$_POST[hnum]', '$_POST[rnum]', '$_POST[adate]', '$_POST[adtime]', '$_POST[lname]', '$_POST[fname]', '$_POST[mname]', '$_POST[cs]', '$_POST[age]', '$_POST[bday]', '$_POST[ad]', '$_POST[telnum]', '$_POST[sex]', '$_POST[stats1]', '$_POST[stats2]', '$_POST[stats3]', '$_POST[stats4]', '$_POST[stats5]', '$_POST[stats6]', '$_POST[stats7]', '$_POST[stats8]', '$_POST[nurse]')";
mysql_real_escape_string($_POST[hnum]),
mysql_real_escape_string($_POST[rnum]);
mysql_real_escape_string($_POST[adate]);
推荐答案
在将它们放入查询之前,您需要转义 值.
You'll need to escape the values before you put them into the query:
$hnum = mysql_real_escape_string($_POST['hnum']);
$query = "INSERT ... VALUES('$hnum')";
如果您有很多值,则可以遍历它们:
If you have a lot of values, you can loop over them:
$values = $_POST;
foreach ($values as &$value) {
$value = mysql_real_escape_string($value);
}
$query = "INSERT ... VALUES('$values[hnum]')";
这篇关于我如何使用mysql真正的转义字符串?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
