题
How to add mysql_real_escape_string() after str_replace()?
https://stackoverflow.com/questions/20730839
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian$s='+'.str_replace(' ',' +',rawurldecode($_GET['search']));
$sql = '
SELECT * from table
where match
(keywords)
AGAINST
('".mysql_real_escape_string($s)."' IN BOOLEAN MODE)
order by date desc
limit '.mysql_real_escape_string($_GET['number']).',10
';
Is this the correct way to write the mysql_real_escape_string() in such a mysql full text search? Thanks.
解决方案
Yes, it is almost correct way (you have bad quote order), but functions you are using are depracted. Use mysqli. You should alsu use intval() because user can input text value and it generates error.
$sql = '
SELECT * from table
where match
(keywords)
AGAINST
("'.mysql_real_escape_string($s).'" IN BOOLEAN MODE)
order by date desc
limit '.intval($_GET['number']).',10
';
