Fatal error: Uncaught Error: Call to undefined function mysql_real_escape_string() in
Fatal error: Uncaught Error: Call to undefined function mysql_real_escape_string() in
我正在尝试从登录表单中转义输入,以防止 sql 注入。但我得到错误为:
Fatal error: Uncaught Error: Call to undefined function mysql_real_escape_string() in F:\Apache24\htdocs\Site1\user\login.php:17 Stack trace: #0 {main} thrown in F:\Apache24\htdocs\Site1\user\login.php on line 17
我尚未清理或验证用户输入,因为我仍在构建页面,但我想测试它是否正确连接到数据库。这是登录页面的代码:
<!DOCTYPE html>
<?php
include('../includes/pdo_connect.php');
$expiry = time()+60*60*24;
if(!setcookie('userdata[user_id]', $user_id, $expiry, '', '', '', TRUE)){
echo "<script>alert('could not set cookie');</script>";
}
?>
<html>
<head>
<title>Login</title>
<link rel="stylesheet" type="text/css" href="../styles/login_style.css">
<?php
global $con;
if(isset($_POST['login_ok'])){
$email = mysql_real_escape_string($_POST['email']);
$pass = mysql_real_escape_string($_POST['password']);
try{
$query = "select * from user where user_email=':email' and password=':pass'";
$stmt = $con->prepare();
$stmt->bindParam(':email', $email, PDO::PARAM_STR);
$stmt->bindParam(':pass', $pass, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetchAll();
foreach($result as $row) {
$user_id = $row['user_id'];
//$user_first_name = $row['user_first_name'];
header("Location:profile.php");
}
} catch(PDOException $e){
echo "Error: ".$e->getMessage();
}
}
?>
</head>
<body>
<div class="wrapper">
<header>
</header>
<div class="form_div">
<div class="form">
<form id="register_form" method="post" action="" autocomplete="autocomplete">
<table>
<tr>
<td id="label">Email: </td>
<td id="input"><input type="text" name="email" required="required" id="input_box"></td>
</tr>
<td id="label">Password: </td>
<td id="input"><input type="password" name="password" id="input_box"></td>
</tr>
<tr id="button_row">
<td colspan="2"><input type="reset" value="Reset" id="button">
<input type="submit" value="Login" id="button" name="login_ok"></td>
</tr>
</table>
</form>
</div>
</div>
</div>
</body>
</html>
mysql_ API 已过时并已从 PHP 中删除(支持 PDO 和 mysqli_)。
虽然您正在使用 PDO,因此您应该使用 PDO 方法来防御 SQL 注入,您已经这样做了:
$stmt->bindParam(':email', $email, PDO::PARAM_STR);足以防御SQL注入
我正在尝试从登录表单中转义输入,以防止 sql 注入。但我得到错误为:
Fatal error: Uncaught Error: Call to undefined function mysql_real_escape_string() in F:\Apache24\htdocs\Site1\user\login.php:17 Stack trace: #0 {main} thrown in F:\Apache24\htdocs\Site1\user\login.php on line 17
我尚未清理或验证用户输入,因为我仍在构建页面,但我想测试它是否正确连接到数据库。这是登录页面的代码:
<!DOCTYPE html>
<?php
include('../includes/pdo_connect.php');
$expiry = time()+60*60*24;
if(!setcookie('userdata[user_id]', $user_id, $expiry, '', '', '', TRUE)){
echo "<script>alert('could not set cookie');</script>";
}
?>
<html>
<head>
<title>Login</title>
<link rel="stylesheet" type="text/css" href="../styles/login_style.css">
<?php
global $con;
if(isset($_POST['login_ok'])){
$email = mysql_real_escape_string($_POST['email']);
$pass = mysql_real_escape_string($_POST['password']);
try{
$query = "select * from user where user_email=':email' and password=':pass'";
$stmt = $con->prepare();
$stmt->bindParam(':email', $email, PDO::PARAM_STR);
$stmt->bindParam(':pass', $pass, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetchAll();
foreach($result as $row) {
$user_id = $row['user_id'];
//$user_first_name = $row['user_first_name'];
header("Location:profile.php");
}
} catch(PDOException $e){
echo "Error: ".$e->getMessage();
}
}
?>
</head>
<body>
<div class="wrapper">
<header>
</header>
<div class="form_div">
<div class="form">
<form id="register_form" method="post" action="" autocomplete="autocomplete">
<table>
<tr>
<td id="label">Email: </td>
<td id="input"><input type="text" name="email" required="required" id="input_box"></td>
</tr>
<td id="label">Password: </td>
<td id="input"><input type="password" name="password" id="input_box"></td>
</tr>
<tr id="button_row">
<td colspan="2"><input type="reset" value="Reset" id="button">
<input type="submit" value="Login" id="button" name="login_ok"></td>
</tr>
</table>
</form>
</div>
</div>
</div>
</body>
</html>
mysql_ API 已过时并已从 PHP 中删除(支持 PDO 和 mysqli_)。
虽然您正在使用 PDO,因此您应该使用 PDO 方法来防御 SQL 注入,您已经这样做了:
$stmt->bindParam(':email', $email, PDO::PARAM_STR);足以防御SQL注入