1. 首頁
  2. 問答
  3. 警告:mysql_real_escape_string()[function.mysql實時逃逸字符串]:拒絕訪問用戶

警告:mysql_real_escape_string()[function.mysql實時逃逸字符串]:拒絕訪問用戶

2012-03-17 89 views
2

HTML表單從警告:mysql_real_escape_string()[function.mysql實時逃逸字符串]:拒絕訪問用戶

<?php 
//////////////////////////////////////////////////////////////////////////////////// 
###### Require Database ######        //////////////////////// 
require_once('src/cfg/dbi.php'); 

//////////////////////////////////////////////////////////////////////////////////// 
###### Call Session Functions Include ######    ////////////////////////    
require_once('src/cfg/sess_function.php');     //////////////////////// 
###### Call function as contained in sess_function() ######      // 
session_set_save_handler('_open','_close','_read','_write','_destroy','_clean'); //        
###### Start session ###### //////////////////////////////////////////////////////// 
session_start(); /////////////////////////////////////////////////////////////////// 
//////////////////////////////////////////////////////////////////////////////////// 



#fullname, email, password 
    // Verify input was even provided 
if (isset($_POST['fullname']) && isset($_POST['email']) && isset($_POST['password'])) { 
    // Clean Input 
    $userName = mysql_real_escape_string($_POST['fullname']); 
    $userEmailAddress = mysql_real_escape_string($_POST['email']); 
    $userPassword = mysql_real_escape_string($_POST['password']); 

    # hash cleaned pass... 
    $dynamSalt = mt_rand(20,9999); 
    $userPassword = hash('sha512',$dynamSalt.$userPassword); 

    # connect database, then prepare, and finally perform query… 
    #require_once('src/cfg/dbi.php'); 
    try{ 
     $dbh = new PDO("mysql:host=$host;dbname=$dbname",$user,$pass); 
     $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
     // INSERT CLEAN DATA INTO TABLE… 
     $sth = $dbh->prepare(" 
     INSERT INTO Fan(fanNm,fanEmail,fanPass,fanDynamSalt) 
     VALUES('$userName','$userEmailAddress','$userPassword','$dynamSalt')" 
     ); 
     $sth->execute(); 
     //////////////////////////////////////////////////////////////////// 
     ## Set Session Var for this PK ID in Fan table that is being created ## 
     //////////////////////////////////////////////////////////////////// 
     $_SESSION['newUserSessID'] = $dbh->lastInsertId(); 

    } //try 

    catch(PDOException $e){ 
      #echo "Oops, We're experiencing an error.INSERTING NEW FAN"; 
      file_put_contents('/PDODBConnectionErrors.txt', $e->getMessage(), FILE_APPEND); 
    } //catch 

} 
else{ 
    // Redirect back to login form 
    header('../index.php'); 
    //*SHOW ERRORS*// 

}

文件dbi.php提交:

<?php 
####### DB Config Setting ####### 
$host ='localhost'; ////////////// 
$dbname ='thedatabasesnamehere';////////// 
$user ='theuser';  ////////////// 
$pass ='thepass';   ////////////// 
///////////////////////////////// 
?>

session_function.php - 包含6個會話功能

<?php 
    function _open() 
    { 
     try{ 
      // Open the database 
      global $dbname, $host,$user,$pass; 
      $dbh = new PDO("mysql:host=$host;dbname=$dbname",$user,$pass); 
      $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
      #echo "<DIV STYLE='COLOR:RED;'>"."CONNECTED!!"."</DIV>"; 
     } //try 
     catch(PDOException $e){ 
      #echo "Oops, We're experiencing an error CONNECTING."; 
      file_put_contents('PDODBConnectionErrors.txt', $e->getMessage(), FILE_APPEND); 
     } //catch 
    } 

    ## Kill Connection to Mysql (Using PDO) 
    function _close(){ 
    $dbh = null; 
    } 

    ## Read a current session 
    function _read($id){ 
     try{ 
      // Open the database 
      global $dbname,$host,$user,$pass; 
      $dbh = new PDO("mysql:host=$host;dbname=$dbname",$user,$pass); 
      $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
      // Begin Query 
      $id = mysql_real_escape_string($id); 
      $sth = $dbh->prepare("SELECT data FROM sessions WHERE id = '$id'"); 
      $sth->execute(); 

     } 
     catch(PDOException $e){ 
      #echo "Oops, We're experiencing an error. READING"; 
      file_put_contents('PDODBConnectionErrors.txt', $e->getMessage(), FILE_APPEND); 
     } //catch 

     ## return ''; 
    } 

## + other functions

獲取這些警告/錯誤,當我填寫4 HTML輸入...:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'fannedup'@'localhost' (using password: NO) on line 30 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established on line 30 

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started atsess_function.php:30) in on line 12 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started atsess_function.php:30) in on line 12 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'fannedup'@'localhost' (using password: NO) on line 21

任何人都看到我在做什麼錯?它可以在本地機器上完美工作..但是一旦我將它帶入網絡,它就會給我帶來這些錯誤。在服務器上我有PHP Version 5.2.17 and localhost is 5.3.1 ??

來源

2012-03-17 CodeTalk

+0

檢查你的MySQL認證。 – 2012-03-17 02:50:47

回答

10

由於您試圖使用mysql_real_escape_string而沒有DB的活動ext/mysql連接資源,您會看到錯誤。這是因爲你使用的是PDO,所以你只建立了一個PDO連接。這兩個功能家族是不可互換的。

WRONG

$id = mysql_real_escape_string($id); 
$sth = $dbh->prepare("SELECT data FROM sessions WHERE id = '$id'"); 
$sth->execute();

正確

$sth = $dbh->prepare("SELECT data FROM sessions WHERE id = ?"); 
$sth->execute(array($id));

或者你可以使用指定的佔位符:

$sth = $dbh->prepare("SELECT data FROM sessions WHERE id = :id"); 
$sth->execute(array(':id' => $id));

預處理語句中的查詢參數是ESC在實施過程中內部進行,這是使用它們的最大優勢之一。如果由於某種原因,您需要手動轉義查詢的字符串部分,那麼您需要使用PDO轉義功能PDO::quote

來源

2012-03-17 02:49:50 prodigitalson

+0

還應該注意的是,雖然我只是叫出一個混合兩個擴展的實例,但你在幾個地方都有。對於與PDO查詢的任何地方都有同樣的答案。 – prodigitalson 2012-03-17 03:03:10

+0

因此,它的合法性只是將'WHERE從id ='$ id''中的字段更改爲'id =?',當然還有其他字段用在哪裏? – CodeTalk 2012-03-17 03:05:26

+1

任何數據字段都可以成爲佔位符。元數據(表名,字段別名等)不能用這種方式替換。 – 2012-03-17 03:06:37

1

當您使用像PDO這樣的數據訪問抽象層時,不應該使用mysql_real_escape_string。

您可能會在您的產品上體驗錯誤,因爲您可能在其中有另一個display_errors設置。

會話警告應該通過移動session_start()來解決。到您的文件的頂部,您使用它的地方。

來源

2012-03-17 02:50:10 mewm

+0

到文件頂部,對不起:) – mewm 2012-03-17 02:52:09

相關問題

 相關問題