使用$ searchEscaped來顯示特定數據

Question

我正在使用$ searchEscaped來允許用戶「查看他們的個人資料」，但是這個結果對我來說不起作用。這裏是我的代碼：

這裏的用戶點擊查看他們的個人資料

<li><a href="profile2.php?username=<?php echo $userRow['username'];?>">View Profile</a></li> 

的鏈接，然後將它們發送到profile.php頁面。這是下面這個。

<?php 
$servername = "localhost"; 
$username = "root"; 
$password = ""; 
$dbname = "database"; 

// Create connection 
$conn = new mysqli($servername, $username, $password, $dbname); 
// Check connection 

$searchEscaped = $conn->real_escape_string($_GET['username']); 
if ($conn->connect_error) { 
    die("Connection failed: " . $conn->connect_error); 
} 

$res=mysql_query("SELECT username , image FROM users WHERE username='$searchEscaped'"); 
$userRow=mysql_fetch_array($res); 



$conn->close(); 
?> 

<?php echo $userRow['username']; ?> 
<?php echo $userRow['image']; ?> 

任何幫助將是驚人的。謝謝！

Answer 1

<?php 
     $servername = "localhost"; 
     $username = "root"; 
     $password = ""; 
     $dbname = "database"; 

     // Create connection 
     $conn = mysqli_connect($servername, $username, $password, $dbname); 
     // Check connection 


     if (!$conn) { 
      die("Connection failed: " . mysqli_connect_error(); 
     } 

     $searchEscaped = mysqli_real_escape_string($conn, $_GET['username']); 
     $res=mysqli_query($conn, "SELECT username , image FROM users WHERE username='$searchEscaped'"); 
     $userRow=mysqli_fetch_array($res); 



     mysqli_close($conn); 
     ?> 

     <?php echo $userRow['username']; ?> 
     <?php echo $userRow['image']; ?> 

Answer 2

您在混合mysql和mysqli。毫無疑問，這是你問題的原因。

我已將您的代碼轉換爲PDO，它可以保護您免受SQL注入攻擊。

<?php 
$username = "root"; 
$password = ""; 

$conn = new PDO('mysql:host=localhost;dbname=database', $username, $password); 

$searchEscaped = $_GET['username']; 

$stmt = $con->prepare("SELECT username, image FROM users WHERE username=:searchEscaped"); 
$stmt->bindParam(':searchEscaped', $searchEscaped); 
$stmt->execute(); 
$userRow = $stmt->fetch(); 

echo $userRow['username']; 
echo $userRow['image']; 
?>