我有一个PHP脚本,其中包含一些输入并应用mysqli_real_escape_string()
函数进行过滤。如下所示
$owner = mysqli_real_escape_string($conn,$_POST['owner']);
$purpose = mysqli_real_escape_string($conn,$_POST['purpose']);
$type = mysqli_real_escape_string($conn,$_POST['type']);
$city = mysqli_real_escape_string($conn,$_POST['city']);
$location = mysqli_real_escape_string($conn,$_POST['location']);
$description = mysqli_real_escape_string($conn,$_POST['description']);
$price = floatval($_POST['price']);
$land_area = floatval($_POST['area']);
$bedrooms = intval($_POST['bedrooms']);
$bathrooms = intval($_POST['bathrooms']);
$expire = mysqli_real_escape_string($conn,$_POST['expire']);
下面是插入查询
$query = "INSERT INTO add_property SET owner='".$owner."',purpose='".$purpose."', property_type='".$type."',city='".$city."',location='".$location."',description='".$description."',price='".$price."',land_area='".$land_area."',bedrooms='".$bedrooms."',bathrooms='".$bathrooms."',property_expire='".$expire."',image_url='".$targetfile."'";
$result = mysqli_query($conn,$query) or die(mysqli_error());
问题它转换字符串并添加一个斜杠,如果 ( ' )等,如果找到像 'abc 一样,它会将其转换为 '''abc 但不保存到数据库......它像.."美国广播公司
它将转义字符串以使其保持有效的 SQL 查询,而不是将转义的版本存储在数据库中。