参考更合适的过滤函数: mysqli::real_escape_string mysqli_real_escape_string (PHP 5)mysqli::real_escape_string -- mysqli_real_escape_string — Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection说明 面向对象风格string mysqli::escape_string ( string $escapestr ) string mysqli::real_escape_string ( string $escapestr ) 过程化风格string mysqli_real_escape_string ( mysqli $link , string $escapestr ) This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection. 参数link 仅以过程化样式:由 mysqli_connect() 或 mysqli_init() 返回的链接标识。escapestr The string to be escaped. Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z. 返回值 Returns an escaped string. 范例 Example #1 mysqli::real_escape_string() example面向对象风格<?php $mysqli = new mysqli("localhost", "my_user", "my_password", "world");/* check connection */ if (mysqli_connect_errno()) { printf("Connect failed: %s\n", mysqli_connect_error()); exit(); }$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");$city = "'s Hertogenbosch";/* this query will fail, cause we didn't escape $city */ if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) { printf("Error: %s\n", $mysqli->sqlstate); }$city = $mysqli->real_escape_string($city);/* this query with escaped $city will work */ if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) { printf("%d Row inserted.\n", $mysqli->affected_rows); }$mysqli->close(); ?> 过程化风格<?php $link = mysqli_connect("localhost", "my_user", "my_password", "world");/* check connection */ if (mysqli_connect_errno()) { printf("Connect failed: %s\n", mysqli_connect_error()); exit(); }mysqli_query($link, "CREATE TEMPORARY TABLE myCity LIKE City");$city = "'s Hertogenbosch";/* this query will fail, cause we didn't escape $city */ if (!mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) { printf("Error: %s\n", mysqli_sqlstate($link)); }$city = mysqli_real_escape_string($link, $city);/* this query with escaped $city will work */ if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) { printf("%d Row inserted.\n", mysqli_affected_rows($link)); }mysqli_close($link); ?> 以上例程会输出:Error: 42000 1 Row inserted.
是用的CI框架.他的接受数据在框架中带到了你说的功能.骑士cms我就不知道了.
参考更合适的过滤函数:
mysqli::real_escape_string
mysqli_real_escape_string
(PHP 5)mysqli::real_escape_string -- mysqli_real_escape_string — Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection说明
面向对象风格string mysqli::escape_string ( string $escapestr )
string mysqli::real_escape_string ( string $escapestr )
过程化风格string mysqli_real_escape_string ( mysqli $link , string $escapestr )
This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection. 参数link
仅以过程化样式:由 mysqli_connect() 或 mysqli_init() 返回的链接标识。escapestr
The string to be escaped. Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.
返回值
Returns an escaped string. 范例
Example #1 mysqli::real_escape_string() example面向对象风格<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");$city = "'s Hertogenbosch";/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
printf("Error: %s\n", $mysqli->sqlstate);
}$city = $mysqli->real_escape_string($city);/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
printf("%d Row inserted.\n", $mysqli->affected_rows);
}$mysqli->close();
?>
过程化风格<?php
$link = mysqli_connect("localhost", "my_user", "my_password", "world");/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}mysqli_query($link, "CREATE TEMPORARY TABLE myCity LIKE City");$city = "'s Hertogenbosch";/* this query will fail, cause we didn't escape $city */
if (!mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("Error: %s\n", mysqli_sqlstate($link));
}$city = mysqli_real_escape_string($link, $city);/* this query with escaped $city will work */
if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("%d Row inserted.\n", mysqli_affected_rows($link));
}mysqli_close($link);
?>
以上例程会输出:Error: 42000
1 Row inserted.