The code here is still incomplete because I'm still going to ask you guys on what the proper format/syntax of using mysql escape string. Im still a beginner in php and I want to learn how to avoid sql injections. Is the code below correct?
这里的代码仍然不完整,因为我仍然要问你们使用mysql转义字符串的正确格式/语法。我还是一个php初学者,我想学习如何避免sql注入。下面的代码是正确的吗?
$con = mysql_connect("localhost","root","mypwd");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("Hospital", $con);
$sqlque="INSERT INTO t2 (HOSPNUM, ROOMNUM, ADATE, ADTIME, LASTNAME, FIRSTNAME, MIDNAME, CSTAT, AGE, BDAY, ADDRESS, TELNUM, SEX, STAT, STAT2, STAT3, STAT4, STAT5, STAT6, STAT7, STAT8, NURSE)
VALUES ('$_POST[hnum]', '$_POST[rnum]', '$_POST[adate]', '$_POST[adtime]', '$_POST[lname]', '$_POST[fname]', '$_POST[mname]', '$_POST[cs]', '$_POST[age]', '$_POST[bday]', '$_POST[ad]', '$_POST[telnum]', '$_POST[sex]', '$_POST[stats1]', '$_POST[stats2]', '$_POST[stats3]', '$_POST[stats4]', '$_POST[stats5]', '$_POST[stats6]', '$_POST[stats7]', '$_POST[stats8]', '$_POST[nurse]')";
mysql_real_escape_string($_POST[hnum]),
mysql_real_escape_string($_POST[rnum]);
mysql_real_escape_string($_POST[adate]);
3 个解决方案
#1
8
You'll need to escape the values before you put them into the query:
在将值放入查询之前,您需要转义这些值:
$hnum = mysql_real_escape_string($_POST['hnum']);
$query = "INSERT ... VALUES('$hnum')";
If you have a lot of values, you can loop over them:
如果你有很多值,你可以循环它们:
$values = $_POST;
foreach ($values as &$value) {
$value = mysql_real_escape_string($value);
}
$query = "INSERT ... VALUES('$values[hnum]')";
#2
1
You're running mysql_real_escape_string on the variables AFTER inserting them into the string!
在将它们插入到字符串后,您将在变量上运行mysql_real_escape_string !
You'd want to do
你想做的事
$hnum = mysql_real_escape_string($_POST[hnum]),
$rnum = mysql_real_escape_string($_POST[rnum]);
$adate = mysql_real_escape_string($_POST[adate]);
$sqlque="INSERT INTO t2 (HOSPNUM, ROOMNUM, ADATE, ADTIME, LASTNAME, FIRSTNAME, MIDNAME, CSTAT, AGE, BDAY, ADDRESS, TELNUM, SEX, STAT, STAT2, STAT3, STAT4, STAT5, STAT6, STAT7, STAT8, NURSE)
VALUES ($hnum,$rnum,$adate', //etc.
Even better, don't create SQL queries out of string substitution at all. I suggest using PDO and prepared statements/parameterized queries. A prepared statement takes care of escaping the input for you. Here's a good link with a rundown of how to use PDO instead of the mysql_* commands.
更妙的是,不要用字符串替换来创建SQL查询。我建议使用PDO和准备语句/参数化查询。准备好的语句负责为您转义输入。这里有一个很好的链接,简要介绍了如何使用PDO而不是mysql_*命令。
#3
0
you need to use this function like this
你需要像这样使用这个函数
....VALUES (".mysql_real_escape_string('$_POST[hnum]').",...
#1
8
You'll need to escape the values before you put them into the query:
在将值放入查询之前,您需要转义这些值:
$hnum = mysql_real_escape_string($_POST['hnum']);
$query = "INSERT ... VALUES('$hnum')";
If you have a lot of values, you can loop over them:
如果你有很多值,你可以循环它们:
$values = $_POST;
foreach ($values as &$value) {
$value = mysql_real_escape_string($value);
}
$query = "INSERT ... VALUES('$values[hnum]')";
#2
1
You're running mysql_real_escape_string on the variables AFTER inserting them into the string!
在将它们插入到字符串后,您将在变量上运行mysql_real_escape_string !
You'd want to do
你想做的事
$hnum = mysql_real_escape_string($_POST[hnum]),
$rnum = mysql_real_escape_string($_POST[rnum]);
$adate = mysql_real_escape_string($_POST[adate]);
$sqlque="INSERT INTO t2 (HOSPNUM, ROOMNUM, ADATE, ADTIME, LASTNAME, FIRSTNAME, MIDNAME, CSTAT, AGE, BDAY, ADDRESS, TELNUM, SEX, STAT, STAT2, STAT3, STAT4, STAT5, STAT6, STAT7, STAT8, NURSE)
VALUES ($hnum,$rnum,$adate', //etc.
Even better, don't create SQL queries out of string substitution at all. I suggest using PDO and prepared statements/parameterized queries. A prepared statement takes care of escaping the input for you. Here's a good link with a rundown of how to use PDO instead of the mysql_* commands.
更妙的是,不要用字符串替换来创建SQL查询。我建议使用PDO和准备语句/参数化查询。准备好的语句负责为您转义输入。这里有一个很好的链接,简要介绍了如何使用PDO而不是mysql_*命令。
#3
0
you need to use this function like this
你需要像这样使用这个函数
....VALUES (".mysql_real_escape_string('$_POST[hnum]').",...