发表新帖
发表新帖

PHP - GetSQLValueString function

后端 未结
关注
4 372
臣服心动
臣服心动 2020-12-04 02:13

I see a function GetSQLValueString and I don\'t know what is it dealing with, could someone give me some idea?
Thanks you

function GetSQLValueString($t
相关标签:
4条回答
  • 遇见更好的自我
    2020-12-04 02:48

    This function return data type specific quoted string. This is used to avoid sql injection.

    0 讨论(0)
  • 一整个雨季
    2020-12-04 02:57

    I guess your problem is related to the mysqli_ issue. You need to change all mysql_ to mysqli_ and add the connection to the database as first parameter. In my case the connection to the database is $conn_vote. Be aware that I added $conn as function's parameter :

     function GetSQLValueString($conn_vote, $theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
    {
      $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

      $theValue = function_exists("mysqli_real_escape_string") ? mysqli_real_escape_string($conn_vote, $theValue) : mysqli_escape_string($conn_vote, $theValue);`enter code here`

      switch ($theType) {
        case "text":
          $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
          break;    
        case "long":
        case "int":
          $theValue = ($theValue != "") ? intval($theValue) : "NULL";
          break;
        case "double":
          $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
          break;
        case "date":
          $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
          break;
        case "defined":
          $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
          break;
      }
      return $theValue;
    }
    }

    `

    0 讨论(0)
  • 走了就别回头了
    2020-12-04 03:05

    Your function escapes the string using MySQL's built-in string escaping function, then if it is a non-numeric value, surrounding it in single quotes. This function was written for inserting variable data into SQL queries.

    $sql = "SELECT * FROM users WHERE username = " . GetSQLValueString($_GET['username'], 'text');
$result = mysql_query($sql);
    0 讨论(0)
  • 伪装坚强ぢ
    2020-12-04 03:10

    From my understanding this function is probably to escape some data to pass it to MySQL. The function also handles null values and put some quotes if needed.

    it should be used this way

    GetSQLValueString("a value that I want to escape's", 'text');

    see the SQL injection problem to understand why this function exists

    0 讨论(0)
 看不清?
提交回复
热议问题