我試圖堅持我的數據庫中的angularjs元素。類型'字符串'是一個意外的參數,期望Mysqli [mysqli_real_escape_string]
我正在使用mySQL和PHP。
When I try to persist, I obtain this error: Warning: 'dabdsa' of type 'String' is an unexpected argument, expected Mysqli [mysqli_real_escape_string]
Warning: function 'mysqli_real_escape_string' has 2 required arguments, but only 1 were provided [mysqli_real_escape_string]
我不知道發生了什麼事。
我app.js代碼:
var app = angular.module("TestIdoneidadApp", []);
app.controller("TIController", ['$scope','$http', function($scope, $http) {
$scope.gestor= '';
$scope.entidad= '';
$scope.save=function(){
$scope.xml_object = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?><testIdoneidad>';
$scope.xml_object += '<gestor>' + $scope.ti.gestor + '</gestor>';
$scope.xml_object += '<entidad>' + $scope.ti.entidad + '</entidad>';
$scope.xml_object += '</testIdoneidad>';
$http.post("insert.php", {'xml_object':$scope.xml_object});
}
}]);
我insert.php代碼:
<?php header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Headers: Authorization, Content-Type');
header('Access-Control-Allow-Methods: GET, POST, OPTIONS, DELETE');
$servername = "localhost";
$username = "msandbox";
$password = "msandbox";
$dbname = "angular_db";
$port = "5631";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname, $port);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
$data = json_decode(file_get_contents("php://input"));
$xml_object = mysqli_real_escape_string($data->xml_object);
$sql = "INSERT INTO test_idoneidad (xml_object)
VALUES ('".$xml_object."')";
if (mysqli_query($conn, $sql)) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}
mysqli_close($conn);
?>
與數據庫的連接是否正確,如果我嘗試插入類似 「測試」在價值中,這是有效的。
有人可以幫助我嗎?
謝謝你的建議。
你的腳本是[SQL注入攻擊]的風險(http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection- in-php) 看看發生了什麼事[Little Bobby Tables](http://bobby-tables.com/)即使是 [如果你正在逃避輸入,它不安全!](http:// stackoverflow。 com/questions/5741187/sql -injection-that-around-mysql-real-escape-string) 使用[prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared- statement.php) – RiggsFolly
感謝您的意見@RiggsFolly – DMC19