MySQL_real_escape_string不添加斜杠？ [英] MySQL_real_escape_string not adding slashes?

问题描述

所以我这样做：

   <?php
    session_start();
    include("../loginconnect.php");
mysql_real_escape_string($_POST[int]);
    $int = nl2br($_POST[int]);
    $query = "UPDATE `DB`.`TABLE` SET `interests`='$int' WHERE `user`='$_SESSION[user]'";
    mysql_query($query) or die(mysql_error());
    mysql_close($con);
    ?>

我们假设$ _POST [int]是Foo栏。单引号仍然未转义，并且由于引用，我在运行脚本时收到MySQL错误。什么问题？

And let's say that $_POST[int] is "Foo' bar." The single-quote remains unescaped AND I get a MySQL error when running the script, due to the quote. What's wrong?

推荐答案

m_r_e_s（）返回转义的值，它不会修改原始的。

m_r_e_s() RETURNS the escaped value, it doesn't modify the original.

$int = mysql_real_escape_string($_POST['int']);

$query = "UPDATE ... interests = '$int' ...";

请注意，我在 int 在POST值。没有引号，PHP将其视为一个常量值（例如define（））。如果没有找到该名称的常数，那么它礼貌地假定你的意思是使用一个字符串并进行相应的调整，但会发出警告。如果你已经做了

Note that I've added quotes around the int in the POST value. Without the quotes, PHP sees it as a constant value (e.g. define()). If it doesn't find a constant of that name, it politely assumes you meant it to be used a string and adjust accordingly, but issues a warning. If you had done

define('int', 'some totally wonky value');

以前，您将访问错误的POST值，因为PHP会将其视为 $ _ POST [一些完全不值得的价值] 。

previously, then you'd be accessing the wrong POST value, because PHP would see it as $_POST[some totally wonky value] instead.

这篇关于MySQL_real_escape_string不添加斜杠？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！