为了防注入,对sql查询语句加转义addslashes后,语句语法出现问题
【php+mysql的一个项目】
有一个用户,用户名是admin,密码是admin。
查询语句是:
<code>$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";
</code>然后查询:
<code>$res=mysql_query($sql); ……省略 </code>
因为防止sql注入,所以想在sql语句查询之前都进行一下转义,所以用addslashes对$sql语句转义了一下,但是就出错了。
<code>$sql=addslashes($sql); $res=mysql_query($sql); </code>
在没有加转义的那一行代码前,用admin,admin可以顺利登录。
加了之后,用admin,admin登录后,捕捉了如下错误,请教大牛们怎么破?
<code>错误编号:1064 错误内容:You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near '\'admin\' and a_password=\'21232f297a57a5a743894a0e4a801fc3\'' at line 1 </code>
多谢!
回复内容:
【php+mysql的一个项目】
有一个用户,用户名是admin,密码是admin。
查询语句是:
<code>$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";
</code>然后查询:
<code>$res=mysql_query($sql); ……省略 </code>
因为防止sql注入,所以想在sql语句查询之前都进行一下转义,所以用addslashes对$sql语句转义了一下,但是就出错了。
<code>$sql=addslashes($sql); $res=mysql_query($sql); </code>
在没有加转义的那一行代码前,用admin,admin可以顺利登录。
加了之后,用admin,admin登录后,捕捉了如下错误,请教大牛们怎么破?
<code>错误编号:1064 错误内容:You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near '\'admin\' and a_password=\'21232f297a57a5a743894a0e4a801fc3\'' at line 1 </code>
多谢!
少年,PDO才是王道.mysqli也行。
<code>php</code><code>$db = new PDO('mysql:host=127.0.0.1;dbname=test;charset=utf8','root','rootpass');
$stm = $db->prepare("select * from test where field = :value");
$stm->bindValue(':value',$_GET['field'],PDO::PARAM_STR);
$stm->execute();
$rows = $stm->fetchAll(PDO::FETCH_ASSOC);
var_dump($rows);
</code>再不济mysqli也可以。
<code>php</code><code>$db = new mysqli('127.0.0.1','root','rootpass','database_name');
$stmt = $db->prepare("select * from test where field = ?");
$stmt->bind_param('s',$_GET['field']);
$stmt->execute();
$rows = array();
while ($row = $stmt->fetch()) array_push($rows,$row);
var_dump($rows);
</code>
如果应用程序只使用预处理语句,可以确保不会发生SQL 注入。
------ php 手册 预处理语句
放弃mysql_query的写法吧,用pdo,另外建议不要使用addslashes,mysqli或者pdo有现成的转义方法
<code>$username = 'aaa';
$password = 'bbb';
$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";
echo addslashes($sql);
select * from table_project where a_username=\'aaa\' and a_password=\'bbb\';
</code>用来包裹字符串的单引号被转义了当然报错了。
另外还是建议使用PDO
好吧,我小白了。
我在用户名变量那个地方做了转义,没有对整个sql语句做转义,然后就好了。
<code>$username=addslashes($username); $password=md5($password); $sql="select * from table_project where...;"; </code>
密码是md5转换后的,用户名用addslashes转义后,然后放到sql语句中查询,貌似这样就行了。
不知道一般的项目中是不是也是这样处理的啊?
<code>php</code><code>$username=mysql_real_escape_string($username);
$password=mysql_real_escape_string($password);
$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";
</code>
使用PDO,参数化查询,不要使用拼接字符串的方式。注意使用PDO需要先在php.ini里面开启该功能
你不能对整个SQL语句转义,需要转义的仅仅是变量而已。
<code> $username=addslashes($username);
$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";
</code>
addslashes() 函数在指定的预定义字符前添加反斜杠。
这些预定义字符是:
单引号 (')
双引号 (")
反斜杠 ()
NULL
而加上\的意义在于mysql把它当作字符串来对待。
你不可以对$sql进行。如果你对整个$sql进行addslashes ,你可以打印一下你的sql语句,肯定是不正确的。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1662
14
1419
52
1311
25
1261
29
1234
24
MySQL and phpMyAdmin: Core Features and Functions
Apr 22, 2025 am 12:12 AM
MySQL and phpMyAdmin are powerful database management tools. 1) MySQL is used to create databases and tables, and to execute DML and SQL queries. 2) phpMyAdmin provides an intuitive interface for database management, table structure management, data operations and user permission management.
The Continued Use of PHP: Reasons for Its Endurance
Apr 19, 2025 am 12:23 AM
What’s still popular is the ease of use, flexibility and a strong ecosystem. 1) Ease of use and simple syntax make it the first choice for beginners. 2) Closely integrated with web development, excellent interaction with HTTP requests and database. 3) The huge ecosystem provides a wealth of tools and libraries. 4) Active community and open source nature adapts them to new needs and technology trends.
MySQL vs. Other Programming Languages: A Comparison
Apr 19, 2025 am 12:22 AM
Compared with other programming languages, MySQL is mainly used to store and manage data, while other languages such as Python, Java, and C are used for logical processing and application development. MySQL is known for its high performance, scalability and cross-platform support, suitable for data management needs, while other languages have advantages in their respective fields such as data analytics, enterprise applications, and system programming.
The Compatibility of IIS and PHP: A Deep Dive
Apr 22, 2025 am 12:01 AM
IIS and PHP are compatible and are implemented through FastCGI. 1.IIS forwards the .php file request to the FastCGI module through the configuration file. 2. The FastCGI module starts the PHP process to process requests to improve performance and stability. 3. In actual applications, you need to pay attention to configuration details, error debugging and performance optimization.
Explain the purpose of foreign keys in MySQL.
Apr 25, 2025 am 12:17 AM
In MySQL, the function of foreign keys is to establish the relationship between tables and ensure the consistency and integrity of the data. Foreign keys maintain the effectiveness of data through reference integrity checks and cascading operations. Pay attention to performance optimization and avoid common errors when using them.
How to safely store JavaScript objects containing functions and regular expressions to a database and restore?
Apr 19, 2025 pm 11:09 PM
Safely handle functions and regular expressions in JSON In front-end development, JavaScript is often required...
Compare and contrast MySQL and MariaDB.
Apr 26, 2025 am 12:08 AM
The main difference between MySQL and MariaDB is performance, functionality and license: 1. MySQL is developed by Oracle, and MariaDB is its fork. 2. MariaDB may perform better in high load environments. 3.MariaDB provides more storage engines and functions. 4.MySQL adopts a dual license, and MariaDB is completely open source. The existing infrastructure, performance requirements, functional requirements and license costs should be taken into account when choosing.
SQL vs. MySQL: Clarifying the Relationship Between the Two
Apr 24, 2025 am 12:02 AM
SQL is a standard language for managing relational databases, while MySQL is a database management system that uses SQL. SQL defines ways to interact with a database, including CRUD operations, while MySQL implements the SQL standard and provides additional features such as stored procedures and triggers.
