PHP mysql_real_escape_string 返回空字符串
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10339373/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP mysql_real_escape_string returns empty string
提问by Drake
I'm trying to work a bit of security and sanitization into my databases application (for a class). to start off with, i'm trying to use mysql_real_escape_string, but whenever i use it, it always returns an empty string!
我正在尝试对我的数据库应用程序(对于一个班级)进行一些安全和清理工作。首先,我正在尝试使用 mysql_real_escape_string,但是每当我使用它时,它总是返回一个空字符串!
Here's the connection code:
这是连接代码:
include_once ("./connect.php");
$db_connection = new mysqli($SERVER, $USERNAME, $PASSWORD, $DATABASE);
if (mysqli_connect_errno()) {
echo("Can't connect to MySQL Server. Error code: " . mysqli_connect_error());
return null;
}
$field = mysql_real_escape_string($_GET['value']);
$upc = $_GET['upc'];
$type = $_GET['field_type'];
echo $field;
echo $upc;
echo $type;
When the php actually gets executed, the $upc and $type gets printed, but NOTHING for $field. Ive tried using an intermediate string, but i get the same result. I'm seriously at a loss as to what it is thats going wrong here.
当 php 实际执行时,会打印 $upc 和 $type,但 $field 没有任何内容。我试过使用中间字符串,但我得到了相同的结果。我真的不知道这里出了什么问题。
Also, I've done a var_dump on $field, and it claims mysql_real_escape_stringreturns FALSE, which is supposed to happen when there isn't a connection(?), but there is one.
另外,我在 上做了一个 var_dump $field,它声称mysql_real_escape_string返回FALSE,这应该在没有连接时发生(?),但有一个。
回答by jeroen
You are connecting using mysqli, not mysql, so you need mysqli_real_escape_string
您正在使用 mysqli 而不是 mysql 进行连接,因此您需要 mysqli_real_escape_string
Although you could easily use prepared statements in mysqli and then you wouldn't need either...
尽管您可以轻松地在 mysqli 中使用准备好的语句,然后您也不需要......
回答by Baba
See PHP Documentation http://php.net/manual/en/function.mysql-real-escape-string.php
请参阅 PHP 文档http://php.net/manual/en/function.mysql-real-escape-string.php
The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.
MySQL 连接。如果未指定链接标识符,则假定为 mysql_connect() 打开的最后一个链接。如果没有找到这样的链接,它会尝试创建一个链接,就好像 mysql_connect() 是在没有参数的情况下调用的一样。如果未找到或建立连接,则会生成 E_WARNING 级别错误。
Which Means you need an active connection to use this function
这意味着您需要一个活动连接才能使用此功能
If you are not seeing any error try
如果您没有看到任何错误,请尝试
error_reporting(E_ALL);
ini_set('display_errors','On');
mysql_real_escape_stringalternative
mysql_real_escape_string选择
Use
用
$escaped = htmlspecialchars($_GET['value'], ENT_QUOTES, "ISO-8859-1");
OR
或者
$escaped = filter_var($_GET['value'], FILTER_SANITIZE_STRING);
回答by mumush
You're getting any empty string because the function takes two parameters; the actual connection to the database and then the string. Use this:
你得到任何空字符串,因为该函数有两个参数;到数据库的实际连接,然后是字符串。用这个:
$sanitizedField = mysqli_real_escape_string($connection, $field);
回答by PJ Brunet
"This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used." from http://php.net/manual/en/function.mysql-real-escape-string.php
“这个扩展从 PHP 5.5.0 开始被弃用,将来会被删除。相反,应该使用 MySQLi 或 PDO_MySQL 扩展。” 来自http://php.net/manual/en/function.mysql-real-escape-string.php
Simply adding "i" to the function name is not the solution. Notice the link identifier parameter is no longer optional http://www.php.net/manual/en/mysqli.real-escape-string.php
简单地将“i”添加到函数名称不是解决方案。注意链接标识符参数不再是可选的http://www.php.net/manual/en/mysqli.real-escape-string.php
PS: As far as the downvotes, I stand by my answer. The function in the question is going to be removed from PHP, that's a big deal and I felt it needed to be pointed out since nobody else mentioned it. Do you disagree? The specifics of the original question are important but many people (including myself) came here looking for information on mysql_real_escape_string() and the first thing you should realize when looking for information about mysql_real_escape_string() is that it's deprecated. Sysadmins will have to upgrade PHP sooner or later and no doubt a ton of applications are still using this deprecated function.
PS:至于否决票,我支持我的回答。问题中的函数将从 PHP 中删除,这很重要,我觉得需要指出它,因为没有其他人提到它。你不同意吗?原始问题的细节很重要,但很多人(包括我自己)来到这里寻找有关 mysql_real_escape_string() 的信息,在查找有关 mysql_real_escape_string() 的信息时,您应该意识到的第一件事是它已被弃用。系统管理员迟早必须升级 PHP,毫无疑问,大量应用程序仍在使用这个已弃用的功能。
回答by Shadaksharayya H A
We also faced same problem. mysql_real_escape_string was working on our development Linux system but not working on test bed. We were wondering why it works on our system and not on test bed even though all php rpms are of same version. After referring PHP documentation, found that it is mandatory to have active connection to MySQL before calling mysql_real_escape_string. If there is no active connection then PHP internally tries to connect to MySQL with default parameters. When PHP internally tried connecting to database on our development machine it worked but it failed on our test bed and resulted in empty response for call to mysql_real_escape_string. After adding call to mysql_connect() before mysql_real_escape_string() our problem got solved.
我们也面临同样的问题。mysql_real_escape_string 在我们的开发 Linux 系统上工作,但不在测试平台上工作。我们想知道为什么它可以在我们的系统上运行而不是在测试台上运行,即使所有的 php rpms 都是相同的版本。参考PHP文档,发现调用mysql_real_escape_string之前必须主动连接MySQL。如果没有活动连接,则 PHP 在内部尝试使用默认参数连接到 MySQL。当 PHP 在内部尝试连接到我们开发机器上的数据库时,它可以工作,但在我们的测试平台上失败,导致调用 mysql_real_escape_string 时响应为空。在 mysql_real_escape_string() 之前添加对 mysql_connect() 的调用后,我们的问题就解决了。
Below was the error when we run mysql command and this error was not seen on our development machine and command successfully connected to database server. ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
下面是我们运行 mysql 命令时的错误,在我们的开发机器上没有看到这个错误,并且命令成功连接到数据库服务器。错误 1045 (28000):用户“root”@“localhost”的访问被拒绝(使用密码:否)
Conclusion is that we have to explicitly connect to mysql before calling mysql_real_escape_string. Internal attempt by php to connect to database can work on some system and fail on some other systems depending on security levels or login credentials.
结论是我们必须在调用mysql_real_escape_string之前显式连接到mysql。php 连接到数据库的内部尝试可以在某些系统上工作,而在某些其他系统上失败,具体取决于安全级别或登录凭据。
回答by scylla
@ jeroen seems to explain it. Although it should work without connecting to database on local server(many things work this way) but it would not on web server except you connect to database before mysql_rea..... I just tried it and it worked. Thats why he earned my vote
@jeroen 似乎解释了它。虽然它应该在没有连接到本地服务器上的数据库的情况下工作(很多事情都是这样工作的)但它不会在网络服务器上除非你在 mysql_rea 之前连接到数据库...... 这就是为什么他赢得了我的选票
