我不知道该放哪儿 mysqli_real_escape_string()
到我目前的php代码为mysql。
我有网址 http://www.example.com/-vs-def-vs-ghi/
但我知道它会暴露在 http://www.example.com/:_?!$123-vs-1312+'
.
我的代码是:
// This I got from my URL - be aware of SQLi!!!
$uri_segments="abc-vs-def-vs-ghi";
// array to get abc def ghi
$compare = explode('-vs-',$uri_segments[0]);
// db connection
$con = mysqli_connect("localhost","user","password","database");
// array for ID's by url segment abc, def, ghi for later
$device_models = array();
// loop array abc def ghi to get the ID from database
foreach ($compare as $model) {
// sql - where to put mysqli_real_escape_string()?
$sql = <<<SQL
SELECT model_id
FROM device_model
WHERE device_model.model_seo_url = '${model}'
SQL;
// get the id for abc, def, ghi
$result = mysqli_query($con, $sql) or die(mysqli_error($con));
while($row = mysqli_fetch_assoc($result)){
$device_model_id = $row['model_id'];
// add id to array
$device_models[] = $device_model_id;
}
}
// close connection
mysqli_close($con);
// id 1,2,3
$var = implode (",", $device_models);
echo $var; // 1,2,3
我应该把int insie$sql变量 'mysqli_real_escape_string(${model})'
?
或者 '${mysqli_real_escape_string(model)}'
?
我不能让它工作。
可能在foreach()循环中?
谢谢你的帮助!
暂无答案!
目前还没有任何答案,快来回答吧!