更新时间:2023-12-03 17:19:28
mysqli_real_escape_string()
要求,您需要与数据库建立活动/已建立的连接.由于在连接之前正在执行m_r_e_s()
调用,因此只需返回布尔FALSE即可表示失败.因此,您正在浪费您的引用"值.
mysqli_real_escape_string()
REQUIRES you to have an active/established connection to the DB. Since you're doing the m_r_e_s()
call BEFORE you connect, you'll simply get back boolean FALSE to signify failure. So you're trashing your "quoted" values.
插入字符串中的布尔假值只会转换为空字符串,因此您的查询开始看起来像
Boolean false values inserted into a string just get converted into empty strings, so your queries start looking like
SELECT ... WHERE username=''
^---see the boolean false in there?
您的代码顺序应为:
session_start();
connect_to_db();
prepare_variables();
do_query();
并且由于您使用的是mysqli,为什么仍要手动转义变量?您可以只使用准备好的语句+占位符,然后完全绕开问题.
And since you're using mysqli, why are you manually escaping variables anyways? You could just use a prepared statement + placeholders and bypass the problem entirely.