为了教育目的,我在家制作了一个简单的网站,我使用的是PHP和MySql。 我有一个带wifi网络的数据库(来自wardriving),我可以在数据库中搜索SSID名称并查看网络是否在我的数据库中。 但我注意到,如果我在我的搜索中输入%%%我得到数据库中的所有结果,我该如何阻止?在MySql查询中阻止%%%
我的代码是:(编辑有点为这个职位删除敏感的东西)
<form method="post" action="">
<input type="search" name="query" placeholder="Sök efter ditt SSID"/>
<input type="submit" name="submit" value="Sök" />
</form>
<?php
include $_SERVER["DOCUMENT_ROOT"] . "/includes/connect.php";
if(isset($_POST['submit'])){
$db_tb_name="database";
$db_tb_atr_name="ssid";
$query = str_replace('%', '\%', mysql_real_escape_string($_POST['query']));
//If search is longer than x characters...
if(strlen($query) >= 3)
{
//Do mysql query for results
$query_for_result=mysql_query("SELECT * FROM $db_tb_name WHERE $db_tb_atr_name like '%".$query."%'");
//If query finds nothing, search is not in databse, echo...
if (mysql_num_rows($query_for_result) < 1)
{
echo "<br /><h3>Ditt SSID finns inte med i databasen</h3>";
}
//Else echo table and populate with results
else
{
echo "<br>";
$num_result = mysql_num_rows($query_for_result);
echo "<h3>Resultat av sökningen - $num_result träffar</h3>";
echo "<table>
<thead>
<tr>
<th>SSID</th>
<th>MAC</th>
<th>Kanal</th>
<th>Kryptering</th>
<th>Algoritm</th>
<th>Autentisering</th>
<th>Signalstyrka</th>
<th>Tillverkare</th>
</tr>
</thead>";
while($data_fetch=mysql_fetch_array($query_for_result))
{
echo "<tr>";
echo "<td>" . substr($data_fetch[ssid], 0,32) . "</td>";
echo "<td>" . substr($data_fetch[mac], 0,32) . "</td>";
echo "<td>" . substr($data_fetch[channel], 0,32) . "</td>";
echo "<td>" . substr($data_fetch[privacy], 0,32) . "</td>";
echo "<td>" . substr($data_fetch[ciper], 0,32) . "</td>";
echo "<td>" . substr($data_fetch[auth], 0,32) . "</td>";
echo "<td>" . substr($data_fetch[power], 0,32) . "</td>";
echo "<td>" . substr($data_fetch[manuf], 0,32) . "</td>";
echo "</tr>";
}
echo "</table>";
}
}
//If search is shorter than x characters, echo...
else
{
echo "<br /><h3>Sökningen måste innehålla minst 3 tecken</h3>";
}
}
include $_SERVER["DOCUMENT_ROOT"] . "/includes/close_connection.php";
?>
转换$查询特殊字符到他们的html实体 – 2014-11-25 14:24:59
'str_replace('%','\%',$ query)',基本上。 %不会被m_r_e_s()转义。 – 2014-11-25 14:42:44
对于所有神圣事物的爱,请使用'mysqli'或'PDO'而不是'mysql_ *'函数,因为它们将从下一个PHP版本中移除 – 2014-11-25 14:52:32