问题
When is use the following code without mysql_real_escape_string, works fine. I simply trying to grab a text string that may have apost. from an input form and format it to put in mysql table.
<?php
$filenamee = $_FILES["file"]["name"];
$filename =strval($filenamee);
echo "file name is".$filename;
$con=mysqli_connect("localhost","blasbott_admin","lubu1973","blasbott_upload");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$companyName = mysql_real_escape_string($_POST['companyName']);
// $companyName = mysql_real_escape_string($companyNamee);
//$companyName = mysql_real_escape_string($companyNamee);
$sql="INSERT INTO ads (companyName, webSite, picture)
VALUES ('$companyName','$_POST[webSite]','$filename')";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo"<br>";
echo "1 record added";
mysqli_close($con);
?>
回答1:
You're at risk of MySQL injections. Never insert data directly to a database without some sort of projection first. It's a major security risk. Also use mysqli_real_escape_string instead, and note that your $_POST[webSite] is unprotected.
Also, your error means that your database details are not correct.
回答2:
No, you shouldn't mix mysql and mysqli.
Use here instead of mysql_real_escape_string($var):
$con->real_escape_string($var);
回答3:
A working code example that is a solution to this problem is available here:
http://www.w3schools.com/php/func_mysqli_real_escape_string.asp
回答4:
You must connect with database first before using Warning: mysql_real_escape_string()
回答5:
Try mysqli_real_escape_string instead.
来源:https://stackoverflow.com/questions/17870024/warning-mysql-real-escape-string-access-denied-for-user-localhost-usin