php where 后 函数,PHP – GetSQLValueString函数

标签：php

我看到一个函数Ge​​tSQLValueString,我不知道它处理的是什么,有人可以给我一些想法吗？

谢谢

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

switch ($theType) {

case "text":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "long":

case "int":

$theValue = ($theValue != "") ? intval($theValue) : "NULL";

break;

case "double":

$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";

break;

case "date":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "defined":

$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

break;

}

return $theValue;

}

这里使用的函数：

if (isset($_POST['username'])) {

$loginUsername=$_POST['username'];

$password=$_POST['password'];

$MM_fldUserAuthorization = "";

$MM_redirectLoginSuccess = "main.php";

$MM_redirectLoginFailed = "login_form.php";

$MM_redirecttoReferrer = false;

mysql_select_db($database_connection1, $connection1);

$LoginRS__query=sprintf("SELECT username, password FROM member WHERE username=%s AND password=%s",

GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));

...

解决方法:

您的函数使用MySQL的内置字符串转义函数转义字符串,然后如果它是非数字值,则用单引号括起来.编写此函数是为了将可变数据插入SQL查询中.

$sql = "SELECT * FROM users WHERE username = " . GetSQLValueString($_GET['username'], 'text');

$result = mysql_query($sql);

标签：php

来源： https://codeday.me/bug/20190526/1157373.html