【php+mysql的一个项目】
有一个用户,用户名是admin,密码是admin。
查询语句是:
<code>$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";
</code>
然后查询:
<code>$res=mysql_query($sql); ……省略 </code>
因为防止sql注入,所以想在sql语句查询之前都进行一下转义,所以用addslashes对$sql语句转义了一下,但是就出错了。
<code>$sql=addslashes($sql); $res=mysql_query($sql); </code>
在没有加转义的那一行代码前,用admin,admin可以顺利登录。
加了之后,用admin,admin登录后,捕捉了如下错误,请教大牛们怎么破?
<code>错误编号:1064 错误内容:You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near '\'admin\' and a_password=\'21232f297a57a5a743894a0e4a801fc3\'' at line 1 </code>
多谢!
回复内容:
【php+mysql的一个项目】
有一个用户,用户名是admin,密码是admin。
查询语句是:
<code>$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";
</code>
然后查询:
<code>$res=mysql_query($sql); ……省略 </code>
因为防止sql注入,所以想在sql语句查询之前都进行一下转义,所以用addslashes对$sql语句转义了一下,但是就出错了。
<code>$sql=addslashes($sql); $res=mysql_query($sql); </code>
在没有加转义的那一行代码前,用admin,admin可以顺利登录。
加了之后,用admin,admin登录后,捕捉了如下错误,请教大牛们怎么破?
<code>错误编号:1064 错误内容:You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near '\'admin\' and a_password=\'21232f297a57a5a743894a0e4a801fc3\'' at line 1 </code>
多谢!
少年,PDO才是王道.mysqli也行。
<code>php</code><code>$db = new PDO('mysql:host=127.0.0.1;dbname=test;charset=utf8','root','rootpass');
$stm = $db->prepare("select * from test where field = :value");
$stm->bindValue(':value',$_GET['field'],PDO::PARAM_STR);
$stm->execute();
$rows = $stm->fetchAll(PDO::FETCH_ASSOC);
var_dump($rows);
</code>
再不济mysqli也可以。
<code>php</code><code>$db = new mysqli('127.0.0.1','root','rootpass','database_name');
$stmt = $db->prepare("select * from test where field = ?");
$stmt->bind_param('s',$_GET['field']);
$stmt->execute();
$rows = array();
while ($row = $stmt->fetch()) array_push($rows,$row);
var_dump($rows);
</code>
如果应用程序只使用预处理语句,可以确保不会发生SQL 注入。
------ php 手册 预处理语句
放弃mysql_query的写法吧,用pdo,另外建议不要使用addslashes,mysqli或者pdo有现成的转义方法
<code>$username = 'aaa';
$password = 'bbb';
$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";
echo addslashes($sql);
select * from table_project where a_username=\'aaa\' and a_password=\'bbb\';
</code>
用来包裹字符串的单引号被转义了当然报错了。
另外还是建议使用PDO
好吧,我小白了。
我在用户名变量那个地方做了转义,没有对整个sql语句做转义,然后就好了。
<code>$username=addslashes($username); $password=md5($password); $sql="select * from table_project where...;"; </code>
密码是md5转换后的,用户名用addslashes转义后,然后放到sql语句中查询,貌似这样就行了。
不知道一般的项目中是不是也是这样处理的啊?
<code>php</code><code>$username=mysql_real_escape_string($username);
$password=mysql_real_escape_string($password);
$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";
</code>
使用PDO,参数化查询,不要使用拼接字符串的方式。注意使用PDO需要先在php.ini里面开启该功能
你不能对整个SQL语句转义,需要转义的仅仅是变量而已。
<code> $username=addslashes($username);
$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";
</code>
addslashes() 函数在指定的预定义字符前添加反斜杠。
这些预定义字符是:
单引号 (')
双引号 (")
反斜杠 ()
NULL
而加上\的意义在于mysql把它当作字符串来对待。
你不可以对$sql进行。如果你对整个$sql进行addslashes ,你可以打印一下你的sql语句,肯定是不正确的。
What is the best way to send an email using PHP?May 08, 2025 am 12:21 AMThebestapproachforsendingemailsinPHPisusingthePHPMailerlibraryduetoitsreliability,featurerichness,andeaseofuse.PHPMailersupportsSMTP,providesdetailederrorhandling,allowssendingHTMLandplaintextemails,supportsattachments,andenhancessecurity.Foroptimalu
Best Practices for Dependency Injection in PHPMay 08, 2025 am 12:21 AMThe reason for using Dependency Injection (DI) is that it promotes loose coupling, testability, and maintainability of the code. 1) Use constructor to inject dependencies, 2) Avoid using service locators, 3) Use dependency injection containers to manage dependencies, 4) Improve testability through injecting dependencies, 5) Avoid over-injection dependencies, 6) Consider the impact of DI on performance.
PHP performance tuning tips and tricksMay 08, 2025 am 12:20 AMPHPperformancetuningiscrucialbecauseitenhancesspeedandefficiency,whicharevitalforwebapplications.1)CachingwithAPCureducesdatabaseloadandimprovesresponsetimes.2)Optimizingdatabasequeriesbyselectingnecessarycolumnsandusingindexingspeedsupdataretrieval.
PHP Email Security: Best Practices for Sending EmailsMay 08, 2025 am 12:16 AMThebestpracticesforsendingemailssecurelyinPHPinclude:1)UsingsecureconfigurationswithSMTPandSTARTTLSencryption,2)Validatingandsanitizinginputstopreventinjectionattacks,3)EncryptingsensitivedatawithinemailsusingOpenSSL,4)Properlyhandlingemailheaderstoa
How do you optimize PHP applications for performance?May 08, 2025 am 12:08 AMTooptimizePHPapplicationsforperformance,usecaching,databaseoptimization,opcodecaching,andserverconfiguration.1)ImplementcachingwithAPCutoreducedatafetchtimes.2)Optimizedatabasesbyindexing,balancingreadandwriteoperations.3)EnableOPcachetoavoidrecompil
What is dependency injection in PHP?May 07, 2025 pm 03:09 PMDependencyinjectioninPHPisadesignpatternthatenhancesflexibility,testability,andmaintainabilitybyprovidingexternaldependenciestoclasses.Itallowsforloosecoupling,easiertestingthroughmocking,andmodulardesign,butrequirescarefulstructuringtoavoidover-inje
Best PHP Performance Optimization TechniquesMay 07, 2025 pm 03:05 PMPHP performance optimization can be achieved through the following steps: 1) use require_once or include_once on the top of the script to reduce the number of file loads; 2) use preprocessing statements and batch processing to reduce the number of database queries; 3) configure OPcache for opcode cache; 4) enable and configure PHP-FPM optimization process management; 5) use CDN to distribute static resources; 6) use Xdebug or Blackfire for code performance analysis; 7) select efficient data structures such as arrays; 8) write modular code for optimization execution.
PHP Performance Optimization: Using Opcode CachingMay 07, 2025 pm 02:49 PMOpcodecachingsignificantlyimprovesPHPperformancebycachingcompiledcode,reducingserverloadandresponsetimes.1)ItstorescompiledPHPcodeinmemory,bypassingparsingandcompiling.2)UseOPcachebysettingparametersinphp.ini,likememoryconsumptionandscriptlimits.3)Ad
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Dreamweaver Mac version
Visual web development tools
WebStorm Mac version
Useful JavaScript development tools
Dreamweaver CS6
Visual web development tools
SublimeText3 English version
Recommended: Win version, supports code prompts!
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
