无法使用mysql_real_escape_string [英] Can't use mysql_real_escape_string
问题描述
因此,在使用mysql_real_escape_string时出现此警告
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'username'@'localhost' (using password: NO) in /home/path/php/functions.php on line 11
该站点的其余部分工作正常,可以连接到数据库以及所有数据库,但是使用此功能时出现错误.
它在我的localhost测试服务器上完全正常工作.
有什么想法吗?
我在自己的自制字符串卫生功能中使用了上述功能:
function sani($string){
$string = strip_tags($string);
$string = htmlspecialchars($string);
$string = trim(rtrim(ltrim($string)));
$string = mysql_real_escape_string($string);
return $string;
}
每次查询时我都会使用此功能...
function mm_mysqlquery($query) {
if (MM_DEBUG == true) { echo "Query: $query <br>"; mm_log("Query: $query"); } //print query if MM_DEBUG
$link = mysql_connect(DB_HOST, DB_USER, DB_PASS) or die ("mysql_error: " . mysql_error());
$db_selected = mysql_select_db(DB_NAME);
return mysql_query($query, $link);
}
预先感谢!
第一点:如果从mysql_real_escape_string()收到错误,那是因为在连接数据库之前要调用该函数.
似乎您在运行查询之前就已连接到数据库.因此,在调用mm_mysqlquery()函数之前所做的任何操作都不会建立连接.
mysql_real_escape_string()函数需要与数据库的实时连接,因此它可以对连接的字符集进行正确的转义.因此,在转义之前,您需要先连接 .
无论如何最好这样做,因为如果您在单个PHP请求过程中进行了多个查询,则连接一次并为所有查询使用相同的连接会减少开销.
第二,请不要使用addslashes()的建议-它与mysql_real_escape_string()的作用不同.两者不可互换.您应该养成使用mysql_real_escape_string()的习惯.
第三,您的sani()函数显示出常见的误解.
function sani($string){
$string = strip_tags($string);
$string = htmlspecialchars($string);
$string = trim(rtrim(ltrim($string)));
$string = mysql_real_escape_string($string);
return $string;
}
常见的误解是您需要所有这些功能才能使SQL语句中的字符串安全.你不知道仅需要mysql_real_escape_string().此示例中的所有其他功能对防止SQL注入没有任何作用.
如果您在HTML演示文稿中输出字符串并希望减少XSS攻击的风险,那么这些功能很有用.
在相应的上下文中使用每种消毒方法.
So, I'm getting this warning when using mysql_real_escape_string
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'username'@'localhost' (using password: NO) in /home/path/php/functions.php on line 11
The rest of the site works fine, connects to the DB and all, but I get an error when using this function.
It works completely fine on my localhost testing server.
Any ideas?
I use aforementioned function in my own homebrew string sanitation function:
function sani($string){
$string = strip_tags($string);
$string = htmlspecialchars($string);
$string = trim(rtrim(ltrim($string)));
$string = mysql_real_escape_string($string);
return $string;
}
And I use this function every time I do queries...
function mm_mysqlquery($query) {
if (MM_DEBUG == true) { echo "Query: $query <br>"; mm_log("Query: $query"); } //print query if MM_DEBUG
$link = mysql_connect(DB_HOST, DB_USER, DB_PASS) or die ("mysql_error: " . mysql_error());
$db_selected = mysql_select_db(DB_NAME);
return mysql_query($query, $link);
}
Thanks on beforehand!
First point: If you're getting an error from mysql_real_escape_string(), it's because you are calling the function before you're connected to the database.
It looks like you connect to the database right before you run a query. So anything you do before you call your mm_mysqlquery() function won't have a connection.
The mysql_real_escape_string() function needs a live connection to the database, so it can do the right kind of escaping with respect to the connection's character set. So you need to connect before you do escaping.
It's better to do that anyway, because if you make several queries during the course of a single PHP request, it's less overhead to connect once and use the same connection for all your queries.
Second, please don't take suggestions to use addslashes() -- it does not do the same thing as mysql_real_escape_string(). The two are not interchangeable. You should get into the habit of using mysql_real_escape_string().
Third, your sani() function shows a common misconception.
function sani($string){
$string = strip_tags($string);
$string = htmlspecialchars($string);
$string = trim(rtrim(ltrim($string)));
$string = mysql_real_escape_string($string);
return $string;
}
The common misconception is that you need all these functions to make a string safe in an SQL statement. You don't. Only mysql_real_escape_string() is necessary. All the other functions in this example do nothing to protect against SQL injection.
Those functions are useful if you output a string in an HTML presentation and you want to reduce the risk of XSS attacks, but then mysql_real_escape_string() is irrelevant.
Use each type of sanitizing method in its appropriate context.
这篇关于无法使用mysql_real_escape_string的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
