php - 回显消息用反斜杠替换空格

问题描述

为什么我收到错误消息 No users with name \' or \'1\'=\'1! 当我在输入中输入 ' 或 '1'='1 时？我知道我的程序阻止了 SQL 注入尝试，但为什么它用反斜杠替换空格？add_pregmatch.php

<?php

include_once 'includes/db_connect.php';

$firstname = '';
    $errors = array('firstname'=>'', 'email'=>'');

    if(isset($_POST['submit'])){
    // check name
    if(empty($_POST['firstname'])){
        $errors['firstname'] = 'Enter a name! <br />';
    } else {
        $firstname = $_POST['firstname'];
        if(!preg_match('/^[a-zA-Z]+$/', $firstname)){
            $errors['firstname'] = 'Name can only be letters! <br />';
        }
    }
}

?>
<!DOCTYPE html>
<html>
<head>
<title>SCIENCE FAIR</title>
<link rel="stylesheet" href="style.css">
    <section class ="container grey-text">
    <form class="white" action="addpreg_match.php" method="POST">
    <tr>
        <label>First Name:</label>
        <td><input type="text" name="firstname" placeholder="First Name"></td></br>
        <?php echo $errors['firstname']; ?>
    </tr>
        <div class="center">
            <td colspan="2"><input type="submit" name="submit" value="Submit"></td>
        </div>
    </form>

</section>
</html>
<?php
if(isset($_POST['submit'])) {
    $firstname = mysqli_real_escape_string($conn, $_POST['firstname']);
    $sql = "SELECT * FROM users WHERE name = '$firstname'";
        $result = mysqli_query($conn, $sql);
        $queryResult = mysqli_num_rows($result);

        if ($queryResult > 0) {
            while ($row = mysqli_fetch_assoc($result)) {
                echo "<div>
                <p>".$row['name']."<p>
                <p>".$row['email']."<p>
                </div>";
            }
        } else {
            echo "No users with name $firstname!";
        }
    }
?>

标签： phphtmlsql