最受欢迎

MySQL Query in AJAX to PHP Call Defeated By PHP's "

MySQL Query in AJAX to PHP Call Defeated By PHP's "strip_tags" Function

本文关键字:PHP quot By Call in Query AJAX to MySQL Defeated | 更新日期: 2023-09-27

在我的PHP应用程序的幕后,我有一个AJAX调用,它发送一个URL编码字符串(通过JavaScript的"encodeURIComponent"函数)给一个PHP函数,以便在MySQL查询中使用:

select ID,Type from table where Type like '' and ID = n;

传递给PHP函数的"Type"字符串看起来像这样:

"size < 5"

给出如下MySQL查询:

select ID,Type from table where Type like 'size < 5' and ID = n;
唯一的问题是,当PHP函数获得字符串时,它立即使用它的"strip_tags"函数来清理字符串,这将我的结束查询变成: 
select ID,Type from table where Type like 'size ' and ID = n;
由于SQL注入问题,我不想使用"strip_tags",但是我用来保护自己的东西使我无法执行所需的功能。有什么安全的方法来解决这个问题吗?

使用PDO,尝试这样做

       <?php
        $pdo = new PDO('mysql:host=yourHostName;dbname=yourDatabaseName', "Username", "Password");
        $query = "SELECT `ID`,`Type` FROM table WHERE `Type` LIKE :type";
        $prepare = $pdo->prepare($query, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
        $type = "size < 5";
        $prepare->execute(array(':type' => $type));
        $array_result = $prepare->fetchAll();
        ?>
相关文章:
最新更新
www.56WenDa.com 2012-2023 | php问答网 | php学习