I filter the data sent by the user through post & quot; my & #039; name & quot; by using the addslashes function, and then store the data in mysql. However, when I run $ connnewmysqli (& #039; 127.0.0.1 & #039;, & #039; root & #039;, & #039; & #039 ;, & #039; book_ SC & #039;); $ re $ conn-& amp; gt; query (& quot; select * fromsc... I use the addslashes function to filter the data "my 'name" sent by the user through post, and then store the data in mysql.
However, when I execute
$ Conn = new mysqli ('2017. 0.0.1 ', 'root', '', 'book _ SC ');
$ Re = $ conn-> query ("select * from SC where title = '". "my 'name "."'");
Var_dump ($ re-> num_rows); // the return value is NULL.
But execute commands in mysql
Mysql> select * from SC where title = "my 'name ";
Or
Mysql> select * from SC where title = "my \ 'name ";
This data item can be queried. Why does it return null when executed on the php script page?
Also, the filter functions include strip_tags and htmlspespecialchars, which are used to filter out html, php code, and escape html code to ensure data security. Do I need to use these three functions?
Reply content:
I use the addslashes function to filter the data "my 'name" sent by the user through post, and then store the data in mysql.
However, when I execute
$ Conn = new mysqli ('2017. 0.0.1 ', 'root', '', 'book _ SC ');
$ Re = $ conn-> query ("select * from SC where title = '". "my 'name "."'");
Var_dump ($ re-> num_rows); // the return value is NULL.
But execute commands in mysql
Mysql> select * from SC where title = "my 'name ";
Or
Mysql> select * from SC where title = "my \ 'name ";
This data item can be queried. Why does it return null when executed on the php script page?
Also, the filter functions include strip_tags and htmlspespecialchars, which are used to filter out html, php code, and escape html code to ensure data security. Do I need to use these three functions?
I'm wondering if you want to execute$re = $conn->query("select * from sc where title='"."my'name"."'");
Why is there no error? Obviously, this SQL statement is incorrect.
This should be the case$conn->query("select * from sc where title='my\'name'")