mysqli mysql_real_escape_string,警告:mysqli_real_escape_string()期望参数1为mysqli,字符串给定...

最新推荐文章于 2022-08-30 11:28:31 发布
最新推荐文章于 2022-08-30 11:28:31 发布
阅读量752 收藏
点赞数
文章标签: mysqli mysql_real_escape_string

I have a secured area of my site where I can add/update/delete database entries. I am trying to update the script from mysql to mysqli. Everything works except for the "update" part. When I fill in the new information and click "update", it gives me this error:

Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli,

string given in

/home3/tarb89/public_html/aususrpg.net/charbase/updated.php on line 19

I'm not sure what is wrong here; I'm a complete newbie, so my apologies.

Here is my update.php code:

// Create connection

$con=mysqli_connect("xxx","xxx","xxx","xxx");

// Check connection

if (mysqli_connect_errno())

{

echo "Failed to connect to MySQL: " . mysqli_connect_error();

}

$id = $_GET['id'];

$result = mysqli_query($con,"SELECT * FROM characters WHERE id = '$id'");

$my_array = array($c_z);

extract($my_array);

?>

Name:

The other issue I have with the update.php page is when it displays the table, the inputs should display the information already listed in the database; currently, it shows the name field but the input section is empty. It should display the name data already in the database (then I can replace it with whatever I want it to update as.)

Here is the updated.php code:

// Create connection

$con=mysqli_connect("xxx","xxx","xxx","xxx");

// Check connection

if (mysqli_connect_errno())

{

echo "Failed to connect to MySQL: " . mysqli_connect_error();

}

$id = $_POST['id'];

$name = mysqli_real_escape_string(trim($_POST["name"]), $con);

$rsUpdate = mysqli_query($con,"UPDATE characters SET name='$name'

WHERE id='$id'");

if($rsUpdate) { echo "Successfully updated"; } else { die('Invalid query: '.mysql_error()); }

?>

Back to index

Any help would be greatly appreciated. This thing is driving me bonkers.

Different issue: see above update.php code.

When I click on a link next to a database entry, called "Update Information", it takes me to update.php?id=charactersid

Currently, it displays an empty input form. I can input information and hit "update" and it WILL update correctly.

However, when I am taken to the update.php page, I want it to display the input form except the values should all equal what is already in the database.

For example:

What it currently shows:

Name: [empty input box]

What I want it to show:

Name: [current name listed in the database]

So the value of the input should be the information for that character; so that when I want to update, I can see what is already listed as information for that character and change/delete/add whatever else I need to.

Does that make more sense?

解决方案

You're using it the opposite way:

string mysqli_real_escape_string ( mysqli $link , string $escapestr )

So it should be:

$name = mysqli_real_escape_string($con, trim($_POST["name"]));

Since you're using MySQLi I would suggest you to just jump into prepared statements rather than real_escape, like this:

// Your database info

$db_host = 'host';

$db_user = 'user';

$db_pass = 'pass';

$db_name = 'database';

// POST data

$id = $_POST['id'];

$name = trim($_POST["name"]);

$con = mysqli_connect($db_host, $db_user, $db_pass, $db_name);

if ($con->connect_error)

{

die('Connect Error (' . mysqli_connect_errno() . ') '. mysqli_connect_error());

}

$sql = "UPDATE characters SET name = ? WHERE id = ?";

if (!$result = $con->prepare($sql))

{

die('Query failed: (' . $con->errno . ') ' . $con->error);

}

if (!$result->bind_param('si', $name, $id))

{

die('Binding parameters failed: (' . $result->errno . ') ' . $result->error);

}

if (!$result->execute())

{

die('Execute failed: (' . $result->errno . ') ' . $result->error);

}

$result->close();

$con->close();

echo "Successfully updated";

?>

Back to index

To select the character name:

// Your database info

$db_host = 'host';

$db_user = 'user';

$db_pass = 'pass';

$db_name = 'database';

// POST data

$id = $_POST['id'];

$con = mysqli_connect($db_host, $db_user, $db_pass, $db_name);

if ($con->connect_error)

{

die('Connect Error (' . mysqli_connect_errno() . ') '. mysqli_connect_error());

}

$sql = "SELECT name FROM characters WHERE id = ?";

if (!$result = $con->prepare($sql))

{

die('Query failed: (' . $con->errno . ') ' . $con->error);

}

if (!$result->bind_param('i', $id))

{

die('Binding parameters failed: (' . $result->errno . ') ' . $result->error);

}

if (!$result->execute())

{

die('Execute failed: (' . $result->errno . ') ' . $result->error);

}

$result->store_result();

if ($result->num_rows == 0)

{

die('No character found...');

}

$result->bind_result($name);

$result->fetch();

$result->close();

$con->close();

echo $name;

许传志
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
php mysql_real_escape_string函数用法与实例教程
01-20
语法mysql_real_escape_string(string,connection) 参数 描述 string 必需。规定要转义的字符串。 connection 可选。规定 MySQL 连接。如果未规定,则使用上一个连接。 说明 本函数将 string 中的特殊字符转义...
php addslashes和mysql_real_escape_string
12-17
`mysql_real_escape_string()` 函数则更为安全,它不仅考虑了字符串中的特殊字符,还考虑到了当前数据库连接的字符集。这意味着它能够正确地处理多字节字符,从而更有效地防止SQL注入。这个函数是在PHP 4.3.0及更高...
mysqli_real_escape_string() 函数
冷月醉雪的博客
04-11 3340
查看更多 https://www.yuque.com/docs/share/eaca5dfb-cf45-481c-8ff0-6dbbff465125
php escape的用法,PHP mysqli_real_escape_string() 函数用法及示例
weixin_31235395的博客
03-25 726
PHP mysqli_real_escape_string() 函数用法及示例mysqli_real_escape_string()函数根据当前连接的字符集,对于 SQL 语句中的特殊字符进行转义。定义和用法mysqli_real_escape_string()函数用来对字符串中的特殊字符进行转义, 以使得这个字符串是一个合法的 SQL 语句。 传入的字符串会根据当前连接的字符集进行转义,得到一...
mysql_real_escape_stringmysql_escape_string有什么本质的区别,有什么用处,为什么被弃用?
joshua317的博客
09-08 2887
本文为joshua317原创文章,转载请注明:转载自joshua317博客https://www.joshua317.com/article/48 mysql_real_escape_stringmysql_escape_string有什么本质的区别,有什么用处,为什么被弃用? 1.官方说明: 1.1 mysql_real_escape_string (PHP 4 >= 4.3.0, PHP 5) mysql_real_escape_string — 转义 SQL 语句中使用的字符串中的.
sqlilabs关于mysqli_real_escape_string函数报错的问题解决。
snowman12138的博客
08-30 491
sqlilabs关于mysqli_real_escape_string函数报错的问题解决。
mysqli mysql_real_escape_string_PHP mysqli_real_escape_string() 函数
weixin_28882149的博客
01-27 178
转义字符串中的特殊字符:// 假定数据库用户名:root,密码:123456,数据库:VOIDME$con=mysqli_connect("localhost","root","123456","VOIDME");if (mysqli_connect_errno($con)){echo "连接 MySQL 失败: " . mysqli_connect_error();}mysqli_query($...
mysql_escape_string()函数用法分析
10-22
MySQL中的`mysql_escape_string()`函数是用来处理SQL查询中可能存在的特殊字符,以防止SQL注入攻击。这个函数在PHP中被广泛使用,特别是在处理用户输入的数据时,用来转义那些可能会改变查询语句含义的字符。然而,...
PHP的mysqli_query参数MYSQLI_STORE_RESULT和MYSQLI_USE_RESULT的区别
12-19
MYSQLI_USE_RESULT : MYSQLI_STORE_RESULT)); 在php manul上面对这两个参数是这样解释的。 复制代码 代码如下: Either the constant MYSQLI_USE_RESULT or MYSQLI_STORE_RESULT depending on the desired behavior...
php连接mysqlmysql_connect()与mysqli_connect()的区别
10-15
在PHP中,`mysql_connect()`和`mysqli_connect()`都是用于连接MySQL数据库的函数,但在PHP 5.5.0及更高版本中,`mysql_connect()`已经被标记为废弃,并且计划在未来版本中彻底移除。因此,开发人员应该转向使用`...
mysqli mysql_real_escape_string_PHP: mysqli::real_escape_string - Manual
weixin_34109927的博客
02-27 89
Presenting several UTF-8 / Multibyte-aware escape functions.These functions represent alternatives to mysqli::real_escape_string, as long as your DB connection and Multibyte extension are using the sa...
php mysql addslashes_PHP函数 mysql_real_escape_string 与 addslashes 的区别
weixin_33304092的博客
01-19 161
addslashes和mysql_real_escape_string都是为了使数据安全的插入到数据库中而进行的过滤,那么这两个函数到底是有什么区别呢?首先,我们还是从PHP手册入手:手册上addslashes转义的字符是单引号(')、双引号(")、反斜线(\)与NUL(NULL 字符)。mysql_real_escape_string转义的字符并没有被提到,只是说了一句:注意:mysql_...
Sqlilabs-21
KAKA的博客
07-09 625
来到了第 21 关,看着 21 关,我知道,第一阶段快结束了,马上要到…啪…给我认真写博文… 这一关卡的题目给内容貌似一点都不符合…还是得从 cookie 下手,但肯定不跟20 关一样,通过提交正常的数据,我们可以看到,COOKIE 长的有点不太一样… Base64Decode 解码 YWRtaW4= 得到的结果是 admin,所以说后台将 COOKIE 进行了 Base64 的编码,所以构造 payload 时,应该在 cookie 类似于:[得先正确登入] uname=YWRtaW4nKSBhbm
mysql注入和预防
山鬼谣弋痕夕的博客
10-01 980
所谓SQL注入,就是通过把SQL命令插入到Web表单递交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。 我们永远不要信任用户的输入,我们必须认定用户输入的数据都是不安全的,我们都需要对用户输入的数据进行过滤处理。 输入的用户名必须为字母、数字及下划线的组合,且用户名长度为 8 到 20 个字符之间: if (preg_match("/^\w{8,20}$/", ...
php出现:expects parameter 1 to be mysqli, string given in错误解决方法
拖烂鞋博客
11-29 6299
网上查到(红狼大大)大神的介绍,解决了。 mysqli_select_db() expects parameter 1 to be mysqli, string given 原因是函数使用参数顺序错误。 主要原因时**mysql_select_db()与mysqli_select_db()**的参数位置刚好相反! mysqlmysqli一个字母之差,用法却不同 一般mysql_select_db()是这样写 mysql_select_db($database,$conn); 而mysqli_select
php 调用本类函数,PHP在外部文件中调用类中的函数,语法?
weixin_32173041的博客
03-09 602
我有这个外部文件CreateConnection.php,它有一个类DBController及其以下函数. createconnection文件没有遇到任何错误.里面的CreateConnection.php文件class DBController{private $servername = "localhost";private $username = "root";private $passw...
mysql_real_escape_stringmysqli_real_escape_string
最新发布
05-29
`mysql_real_escape_string` 和 `mysqli_real_escape_string` 都是用于防止 SQL 注入的函数,但是它们有一些区别。 `mysql_real_escape_string` 是用于 MySQL 扩展库的函数,它可以将某些特殊字符(例如单引号、双...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值