0 
// inserting into DB from form

if (!empty($_POST['Title'])) {
    $t = mysqli_real_escape_string($dbc, ($_POST['Title']));
} else {
    $errors[] = 'Please enter a Headline title';
}

// Add the news to the database:

$q = 'INSERT INTO news ( Title, Content) VALUES (?, ?)';
$stmt = mysqli_prepare($dbc, $q);
mysqli_stmt_bind_param($stmt, 'ss', $t, $c);
mysqli_stmt_execute($stmt);

如果 $t 包含撇号,例如

We're awesome

它会将其添加到数据库中

"we\'re awesome"

稍后的:

然后我如何运行 title = $t 的查询

$q = "SELECT * FROM news WHERE title= '$t'";

查询失败,因为撇号有效地切断了 SQL

SELECT * FROM news WHERE title = ' we're awesome
4

2 回答 2

2

You can either escape or use prepared statements, but not both!

于 2013-04-15T16:57:47.540 回答
0

您再次在搜索中使用 mysqli_real_escape_string,就像使用插入一样。

$t = mysqli_real_escape_string($link,$t);
$q = "SELECT * FROM news WHERE title= '$t'";

而已。

于 2013-04-15T16:54:43.667 回答