mysql_real_escape_string() is not escaping anything
https://stackoverflow.com/questions/4357340
-
08-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian문제
- would I need to use real escape in both my INSERT and SELECT FROM statements?
why the syntax I'm using in the following example isn't working (It's just one of the many ways I've tried)?
//insert user input for word 1 $sql = "INSERT INTO test (Word1, Word2, Word3, Word4, Word5) VALUES('$Word1','$Word2','$Word3','$Word4','$Word5')", mysql_real_escape_string($Word1), mysql_real_escape_string($Word2), mysql_real_escape_string($Word3), mysql_real_escape_string($Word4), mysql_real_escape_string($Word5); if(!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); }
해결책
I highly recommend that you avoid escaping altogether, and move directly to prepared statements with mysqli::prepare, perhaps via PDO. It's ultimately simpler and safer:
$dsn = 'mysql:dbname=test;host=127.0.0.1';
$user = 'dbuser';
$password = 'dbpass';
$dbh = new PDO($dsn, $user, $password);
$sql =
'INSERT INTO mytable ' .
'(Word1, Word2, Word3, Word4, Word5)' .
'VALUES(?, ?, ?, ?, ?)';
$stmt = $dbh->prepare($sql);
$words = array('word1', 'word2', 'word3', 'word4', 'word5');
$stmt->execute($words);
$words = array('word6', 'word7', 'word8', 'word9', 'word10');
$stmt->execute($words);
다른 팁
It looks like you are trying to use sprintf(), to do so properly you need to reformat your code a little:
$sql = sprintf("INSERT INTO test (Word1, Word2, Word3, Word4, Word5)
VALUES('%s','%s','%s','%s','%s')",
mysql_real_escape_string($Word1),
mysql_real_escape_string($Word2),
mysql_real_escape_string($Word3),
mysql_real_escape_string($Word4),
mysql_real_escape_string($Word5)
);
제휴하지 않습니다 StackOverflow
