为了防注入,对sql查询语句加转义addslashes后,语句语法出现问题
【php+mysql的一个项目】
有一个用户,用户名是admin,密码是admin。
查询语句是:
<code>$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";
</code>然后查询:
<code>$res=mysql_query($sql); ……省略 </code>
因为防止sql注入,所以想在sql语句查询之前都进行一下转义,所以用addslashes对$sql语句转义了一下,但是就出错了。
<code>$sql=addslashes($sql); $res=mysql_query($sql); </code>
在没有加转义的那一行代码前,用admin,admin可以顺利登录。
加了之后,用admin,admin登录后,捕捉了如下错误,请教大牛们怎么破?
<code>错误编号:1064 错误内容:You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near '\'admin\' and a_password=\'21232f297a57a5a743894a0e4a801fc3\'' at line 1 </code>
多谢!
回复内容:
【php+mysql的一个项目】
有一个用户,用户名是admin,密码是admin。
查询语句是:
<code>$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";
</code>然后查询:
<code>$res=mysql_query($sql); ……省略 </code>
因为防止sql注入,所以想在sql语句查询之前都进行一下转义,所以用addslashes对$sql语句转义了一下,但是就出错了。
<code>$sql=addslashes($sql); $res=mysql_query($sql); </code>
在没有加转义的那一行代码前,用admin,admin可以顺利登录。
加了之后,用admin,admin登录后,捕捉了如下错误,请教大牛们怎么破?
<code>错误编号:1064 错误内容:You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near '\'admin\' and a_password=\'21232f297a57a5a743894a0e4a801fc3\'' at line 1 </code>
多谢!
少年,PDO才是王道.mysqli也行。
<code>php</code><code>$db = new PDO('mysql:host=127.0.0.1;dbname=test;charset=utf8','root','rootpass');
$stm = $db->prepare("select * from test where field = :value");
$stm->bindValue(':value',$_GET['field'],PDO::PARAM_STR);
$stm->execute();
$rows = $stm->fetchAll(PDO::FETCH_ASSOC);
var_dump($rows);
</code>再不济mysqli也可以。
<code>php</code><code>$db = new mysqli('127.0.0.1','root','rootpass','database_name');
$stmt = $db->prepare("select * from test where field = ?");
$stmt->bind_param('s',$_GET['field']);
$stmt->execute();
$rows = array();
while ($row = $stmt->fetch()) array_push($rows,$row);
var_dump($rows);
</code>
如果应用程序只使用预处理语句,可以确保不会发生SQL 注入。
------ php 手册 预处理语句
放弃mysql_query的写法吧,用pdo,另外建议不要使用addslashes,mysqli或者pdo有现成的转义方法
<code>$username = 'aaa';
$password = 'bbb';
$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";
echo addslashes($sql);
select * from table_project where a_username=\'aaa\' and a_password=\'bbb\';
</code>用来包裹字符串的单引号被转义了当然报错了。
另外还是建议使用PDO
好吧,我小白了。
我在用户名变量那个地方做了转义,没有对整个sql语句做转义,然后就好了。
<code>$username=addslashes($username); $password=md5($password); $sql="select * from table_project where...;"; </code>
密码是md5转换后的,用户名用addslashes转义后,然后放到sql语句中查询,貌似这样就行了。
不知道一般的项目中是不是也是这样处理的啊?
<code>php</code><code>$username=mysql_real_escape_string($username);
$password=mysql_real_escape_string($password);
$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";
</code>
使用PDO,参数化查询,不要使用拼接字符串的方式。注意使用PDO需要先在php.ini里面开启该功能
你不能对整个SQL语句转义,需要转义的仅仅是变量而已。
<code> $username=addslashes($username);
$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";
</code>
addslashes() 函数在指定的预定义字符前添加反斜杠。
这些预定义字符是:
单引号 (')
双引号 (")
反斜杠 ()
NULL
而加上\的意义在于mysql把它当作字符串来对待。
你不可以对$sql进行。如果你对整个$sql进行addslashes ,你可以打印一下你的sql语句,肯定是不正确的。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian
Dec 24, 2024 pm 04:42 PM
PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati
How to fix mysql_native_password not loaded errors on MySQL 8.4
Dec 09, 2024 am 11:42 AM
One of the major changes introduced in MySQL 8.4 (the latest LTS release as of 2024) is that the "MySQL Native Password" plugin is no longer enabled by default. Further, MySQL 9.0 removes this plugin completely. This change affects PHP and other app
How To Set Up Visual Studio Code (VS Code) for PHP Development
Dec 20, 2024 am 11:31 AM
Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c
How do you parse and process HTML/XML in PHP?
Feb 07, 2025 am 11:57 AM
This tutorial demonstrates how to efficiently process XML documents using PHP. XML (eXtensible Markup Language) is a versatile text-based markup language designed for both human readability and machine parsing. It's commonly used for data storage an
PHP Program to Count Vowels in a String
Feb 07, 2025 pm 12:12 PM
A string is a sequence of characters, including letters, numbers, and symbols. This tutorial will learn how to calculate the number of vowels in a given string in PHP using different methods. The vowels in English are a, e, i, o, u, and they can be uppercase or lowercase. What is a vowel? Vowels are alphabetic characters that represent a specific pronunciation. There are five vowels in English, including uppercase and lowercase: a, e, i, o, u Example 1 Input: String = "Tutorialspoint" Output: 6 explain The vowels in the string "Tutorialspoint" are u, o, i, a, o, i. There are 6 yuan in total
7 PHP Functions I Regret I Didn't Know Before
Nov 13, 2024 am 09:42 AM
If you are an experienced PHP developer, you might have the feeling that you’ve been there and done that already.You have developed a significant number of applications, debugged millions of lines of code, and tweaked a bunch of scripts to achieve op
Top 10 PHP CMS Platforms For Developers in 2024
Dec 05, 2024 am 10:29 AM
CMS stands for Content Management System. It is a software application or platform that enables users to create, manage, and modify digital content without requiring advanced technical knowledge. CMS allows users to easily create and organize content
How to Add Elements to the End of an Array in PHP
Feb 07, 2025 am 11:17 AM
Arrays are linear data structures used to process data in programming. Sometimes when we are processing arrays we need to add new elements to the existing array. In this article, we will discuss several ways to add elements to the end of an array in PHP, with code examples, output, and time and space complexity analysis for each method. Here are the different ways to add elements to an array: Use square brackets [] In PHP, the way to add elements to the end of an array is to use square brackets []. This syntax only works in cases where we want to add only a single element. The following is the syntax: $array[] = value; Example
