MySQL_real_escape_string不添加斜杠? [英] MySQL_real_escape_string not adding slashes?
问题描述
所以我这样做:
<?php
session_start();
include("../loginconnect.php");
mysql_real_escape_string($_POST[int]);
$int = nl2br($_POST[int]);
$query = "UPDATE `DB`.`TABLE` SET `interests`='$int' WHERE `user`='$_SESSION[user]'";
mysql_query($query) or die(mysql_error());
mysql_close($con);
?>
我们假设$ _POST [int]是Foo栏。单引号仍然未转义,并且由于引用,我在运行脚本时收到MySQL错误。什么问题?
And let's say that $_POST[int] is "Foo' bar." The single-quote remains unescaped AND I get a MySQL error when running the script, due to the quote. What's wrong?
推荐答案
m_r_e_s()返回转义的值,它不会修改原始的。
m_r_e_s() RETURNS the escaped value, it doesn't modify the original.
$int = mysql_real_escape_string($_POST['int']);
$query = "UPDATE ... interests = '$int' ...";
请注意,我在 int
在POST值。没有引号,PHP将其视为一个常量值(例如define())。如果没有找到该名称的常数,那么它礼貌地假定你的意思是使用一个字符串并进行相应的调整,但会发出警告。如果你已经做了
Note that I've added quotes around the int
in the POST value. Without the quotes, PHP sees it as a constant value (e.g. define()). If it doesn't find a constant of that name, it politely assumes you meant it to be used a string and adjust accordingly, but issues a warning. If you had done
define('int', 'some totally wonky value');
以前,您将访问错误的POST值,因为PHP会将其视为 $ _ POST [一些完全不值得的价值]
。
previously, then you'd be accessing the wrong POST value, because PHP would see it as $_POST[some totally wonky value]
instead.
这篇关于MySQL_real_escape_string不添加斜杠?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!