1

Trying to make my blog secure and learning prepared statements.

Although I set the variable, I still get all the entries from database. $escapedGet is real variable when I print it out. It's obviously a rookie mistake, but I cant seem to find an answer.

I need to get the data where postlink is $escapedGet not all the data.

    $escapedGet = mysql_real_escape_string($_GET['article']);

        // Create statement object
            $stmt = $con->stmt_init();

        // Create a prepared statement
        if($stmt->prepare("SELECT `title`, `description`, `keywords` FROM `post` WHERE `postlink` = ?")) {

         // Bind your variable to replace the ?
         $stmt->bind_param('i', $postlink);

         // Set your variable   
          $postlink = $escapedGet;

          // Execute query
           $stmt->execute();

           $stmt->bind_result($articleTitle, $articleDescription, $articleKeywords);

            while($stmt->fetch()) {
              echo $articleTitle, $articleDescription, $articleKeywords; 
             }

          // Close statement object
          $stmt->close();
        }

just tryed this: echo $escapedGet; echo $_Get['artcile']

and got - some_other thats the same entry that I have saved in database as postlink

tried to shande postlink to id, and then it worked. but why not with postlink tab?

4

1 回答 1

1

当您使用'i'修饰符绑定数据时,它被绑定为整数。意味着字符串将在最终语句中强制转换为 0。

但是当 mysql 进行类型转换时,您的字符串在此查询中变为零:

SELECT title FROM post WHERE postlink = 0;

试试看 - 对于文本后链接,您将返回所有记录(以及一堆警告)。

s因此,使用修饰符绑定字符串,而不是i

于 2013-03-20T11:07:43.300 回答