我一直在对mysqli_real_escape_string()进行一些研究,但我并不真正了解如何在我的情况下正确使用它来帮助防止SQLInjection,使用我下面的代码,有人可以帮助我纠正这个问题吗?我感谢所有的帮助。这里关于重新保护sql注入和php的其他问题并没有真正回答我的问题,当我使用它时,在我的格式中重新保护正确的语法用法:
"$city = mysqli_real_escape_string($_POST['City']);
无论输入"%$city%"或"%$business%",我都只得到了我的通用搜索
<?php
$con = mysqli_connect(........);
// Check connection
if (mysqli_connect_errno())
{
echo "<option>Failed to connect to the Database</option>" ;
}
$city = mysqli_real_escape_string($con, $_POST['City']);
$business = mysqli_real_escape_string($con, $_POST['Business']);
$result = mysqli_query($con,"SELECT * FROM Business WHERE City LIKE '%$city%' AND BName LIKE '%$business%' ORDER BY City, BName ASC");
while($row = mysqli_fetch_array($result))
{
// do stuff here
}
// No other results
echo "<center>No other listings like $city or $business</center>";
// Free result set
mysqli_free_result($result);
mysqli_close($con);
?>
你必须
使用mysqli_real_escape_string而不是mysql_real_escape_string,因为你使用的是mysqli_*函数。
字符串mysqli_real_escape_string ( mysqli $link , string $escapestr )
您必须重写转义序列
$city = mysqli_real_escape_string ($con, $_POST['City']);
$business = mysqli_real_escape_string ($con, $_POST['Business']);
为了防止sql injection使用prepaid statements。