PHP - GetSQLValueString 函数
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4458180/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP - GetSQLValueString function
提问by Charles Yeung
I see a function GetSQLValueString and I don't know what is it dealing with, could someone give me some idea?
Thanks you
我看到一个函数 GetSQLValueString 但我不知道它在处理什么,有人能给我一些想法吗?
谢谢
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
The function used here:
这里使用的函数:
if (isset($_POST['username'])) {
$loginUsername=$_POST['username'];
$password=$_POST['password'];
$MM_fldUserAuthorization = "";
$MM_redirectLoginSuccess = "main.php";
$MM_redirectLoginFailed = "login_form.php";
$MM_redirecttoReferrer = false;
mysql_select_db($database_connection1, $connection1);
$LoginRS__query=sprintf("SELECT username, password FROM member WHERE username=%s AND password=%s",
GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));
...
回答by Dan Grossman
Your function escapes the string using MySQL's built-in string escaping function, then if it is a non-numeric value, surrounding it in single quotes. This function was written for inserting variable data into SQL queries.
您的函数使用 MySQL 的内置字符串转义函数对字符串进行转义,然后如果它是非数字值,则用单引号将其括起来。此函数是为将变量数据插入 SQL 查询而编写的。
$sql = "SELECT * FROM users WHERE username = " . GetSQLValueString($_GET['username'], 'text');
$result = mysql_query($sql);
回答by RageZ
From my understanding this function is probably to escape some data to pass it to MySQL. The function also handles null values and put some quotes if needed.
根据我的理解,这个函数可能是转义一些数据以将其传递给MySQL。该函数还处理空值并在需要时加上一些引号。
it should be used this way
应该这样使用
GetSQLValueString("a value that I want to escape's", 'text');
see the SQL injectionproblem to understand why this function exists
看SQL注入问题来理解这个函数为什么存在
回答by Shameer
This function return data type specific quoted string. This is used to avoid sql injection.
此函数返回数据类型特定的带引号的字符串。这用于避免sql注入。
回答by Antonio Sciortino
I guess your problem is related to the mysqli_ issue. You need to change all mysql_to mysqli_and add the connection to the database as first parameter. In my case the connection to the database is $conn_vote. Be aware that I added $conn as function's parameter :
我猜你的问题与 mysqli_ 问题有关。您需要将所有mysql_更改为mysqli_并将与数据库的连接添加为第一个参数。在我的情况下,与数据库的连接是$conn_vote。请注意,我添加了 $conn 作为函数的参数:
function GetSQLValueString($conn_vote, $theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
$theValue = function_exists("mysqli_real_escape_string") ? mysqli_real_escape_string($conn_vote, $theValue) : mysqli_escape_string($conn_vote, $theValue);`enter code here`
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
`
`
