我需要使用bind_param来摆脱数据注入。当我使用bind_param时,特殊字符如€或http://在mysql中被保存为صذÙ,。
1-我确定mysql表设置正确
2-我已将文字处理器的编码更改为UTF8。
3-我已经包含了许多utf8字符集。
有什么想法如何解决这个问题?或者我应该开始使用其他方法,如mysqli_real_escape_string?
($_POST["post_word"]在另一个页面生成)
$connect = mysqli_connect("r"," r","r","r"); //not real data here
$connect->set_charset('utf8');
$connect->query("SET NAMES utf8");
$querye= mysql_query("SET NAMES utf8");
mysqli_query($connect,"INSERT INTO wordtable ( wdate) VALUES (CURRENT_TIMESTAMP())");
$sqlz = "SELECT wid FROM wordtable ORDER BY wdate DESC LIMIT 1";
$resultz = mysql_query($sqlz);
$rowz = mysql_fetch_array($resultz);
$wid=$rowz['wid'];
$mysqli = new mysqli(HOSTNAME, MYSQLUSER, MYSQLPASS, MYSQLDB);
$connect->set_charset('utf8');
$unsafe_variable = $_POST["post_word"];
$stmt = $mysqli->prepare("UPDATE wordtable SET word=(?)
WHERE wid='$wid' ");
$stmt->bind_param("s", $unsafe_variable);
$stmt->execute();
$stmt->close();
$mysqli->close();
也许
$querye= mysql_query("SET NAMES utf8");