警告:mysql_real_escape_string():用户"@'localhost"的访问被拒绝(使用密码:NO) [英] Warning: mysql_real_escape_string(): Access denied for user ''@'localhost' (using password: NO)
问题描述
在不使用mysql_real_escape_string的情况下使用以下代码时,效果很好.我只是试图抓住一个可能带有撇号的文本字符串.从输入表单并将其格式化以放入mysql表中.
When is use the following code without mysql_real_escape_string, works fine. I simply trying to grab a text string that may have apost. from an input form and format it to put in mysql table.
<?php
$filenamee = $_FILES["file"]["name"];
$filename =strval($filenamee);
echo "file name is".$filename;
$con=mysqli_connect("localhost","blasbott_admin","lubu1973","blasbott_upload");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$companyName = mysql_real_escape_string($_POST['companyName']);
// $companyName = mysql_real_escape_string($companyNamee);
//$companyName = mysql_real_escape_string($companyNamee);
$sql="INSERT INTO ads (companyName, webSite, picture)
VALUES ('$companyName','$_POST[webSite]','$filename')";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo"<br>";
echo "1 record added";
mysqli_close($con);
?>
推荐答案
您有遭受MySQL注入的风险.切勿先将数据直接插入数据库,而无需先进行某种类型的投影.这是主要的安全风险.也请改用mysqli_real_escape_string,并注意您的$ _POST [webSite]未受保护.
You're at risk of MySQL injections. Never insert data directly to a database without some sort of projection first. It's a major security risk. Also use mysqli_real_escape_string instead, and note that your $_POST[webSite] is unprotected.
此外,您的错误意味着您的数据库详细信息不正确.
Also, your error means that your database details are not correct.
这篇关于警告:mysql_real_escape_string():用户"@'localhost"的访问被拒绝(使用密码:NO)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!