发表新帖
发表新帖

how do I use mysql real escape string?

前端 未结
关注
3 1844
故里飘歌
故里飘歌 2021-01-20 00:42

The code here is still incomplete because I\'m still going to ask you guys on what the proper format/syntax of using mysql escape string. Im still a beginner in php and I wa

相关标签:
3条回答
  • 予麋鹿
    2021-01-20 01:04

    You'll need to escape the values before you put them into the query:

    $hnum = mysql_real_escape_string($_POST['hnum']);
$query = "INSERT ... VALUES('$hnum')";

    If you have a lot of values, you can loop over them:

    $values = $_POST;

foreach ($values as &$value) {
    $value = mysql_real_escape_string($value);
}

$query = "INSERT ... VALUES('$values[hnum]')";
    0 讨论(0)
  • 被撕碎了的回忆
    2021-01-20 01:08

    You're running mysql_real_escape_string on the variables AFTER inserting them into the string!

    You'd want to do

       $hnum = mysql_real_escape_string($_POST[hnum]),
   $rnum = mysql_real_escape_string($_POST[rnum]);
   $adate = mysql_real_escape_string($_POST[adate]);
   $sqlque="INSERT INTO t2 (HOSPNUM, ROOMNUM, ADATE, ADTIME, LASTNAME, FIRSTNAME, MIDNAME, CSTAT, AGE, BDAY, ADDRESS, TELNUM, SEX, STAT, STAT2, STAT3, STAT4, STAT5, STAT6, STAT7, STAT8, NURSE)
  VALUES ($hnum,$rnum,$adate', //etc.

    Even better, don't create SQL queries out of string substitution at all. I suggest using PDO and prepared statements/parameterized queries. A prepared statement takes care of escaping the input for you. Here's a good link with a rundown of how to use PDO instead of the mysql_* commands.

    0 讨论(0)
  • 萌比男神i
    2021-01-20 01:17

    you need to use this function like this

    ....VALUES (".mysql_real_escape_string('$_POST[hnum]').",...
    0 讨论(0)
 看不清?
提交回复
热议问题