0

I'm trying to sanitize a string going into my database. But with the code below, I don't get the update to my db.

First page posts this in an input form:

$note="Here is some example text";

Receiving page:

$note = $_POST['note'];
$note = mysql_real_escape_string($note);
$sql="UPDATE some_table SET notes='$note' WHERE id='$some_id'";
$result=mysql_query($sql);

When I take out the mysql_real_escape_string line it works, but not with it in there. What am I missing?

Thanks!

4

1 回答 1

1

我强烈建议使用 Prepared Statement,mysql_real_escape_string() 不会完全保护您免受 SQL 注入。

您的更新示例:

<?php
// connection
$conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass);

// query
$sql = "UPDATE some_table 
        SET notes=? 
        WHERE id=?";
$q = $conn->prepare($sql);
$q->execute(array($$_POST['note'], $some_id));
?>

更多细节:http ://www.php.net/manual/en/intro.pdo.php

于 2013-06-10T23:31:19.627 回答