包含双引号的字符串在数据库中插入不完整
已更新
我在表单中提供的文本区域将用户输入作为字符串
包含双引号的字符串在数据库中插入不完整..
我在文本区域中插入了一个字符串作为
“不用太担心 布局/设计/文字大小,我们经常会 “调味”(即粗体、斜体、 间距)您的横幅以获得更好的效果 整体外观。
当我将字符串插入数据库时,字符串结束于
不用太担心 布局/设计/文字大小,我们经常会
部分插入。我应该怎么做才能插入所有单引号和双引号?
根据要求进行编辑
下面是我用来使用 php 插入数据库的查询
“插入产品描述 (产品 ID、产品名称、 产品标志名称1, 产品标志名称2, 产品标志名称3, 产品描述) 值 ('" . (int)$products_id 。 “', '横幅_” 。 $products_id 。 "','".$_POST['logoimage1']."', '".$_POST['logoimage2']."', '".$_POST['logoimage3']."', '".mysql_real_escape_string($_POST['描述'])."')"
这里 mysql_real_escape_string($_POST['description']) 没有转义双引号,因此在插入时截断应该做什么?
Updated
The textarea i have provided in the form takes the user input as strings
String Containing double quotes is inserted incomplete in DB..
I have a string inserted in text area as
"Don't worry too much about
layout/design/text size, we will often
"spice up" (i.e. bold, italic,
spacing) your banner for a better
overall look.
And when i inserted the string into DB the string get end at
Don't worry too much about
layout/design/text size, we will often
and is inserted partially.. What should i do to allow all the single and double quotes to be inserted?
EDIT ON REQUEST
Below Is the query I am using to insert in the database using php
"insert into products_description
(products_id, products_name,
products_logo_name1,
products_logo_name2,
products_logo_name3,
products_description) values ('" .
(int)$products_id . "', 'banner_" .
$products_id .
"','".$_POST['logoimage1']."',
'".$_POST['logoimage2']."',
'".$_POST['logoimage3']."',
'".mysql_real_escape_string($_POST['description'])."')"
Here mysql_real_escape_string($_POST['description']) is not escaping double quotes and hence truncates in insertion what should be done?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
对字符串内的双引号进行转义,如下所示:
反斜杠将告诉编译器忽略后面双引号的“含义”,并将其视为普通字符(这就是我们所说的“转义”)。
另请查看
mysql_real_escape_string()
< /a> 处理用户输入时(这将自动转义字符串中的所有危险元素以在 mySQL 数据库中使用)。Escape the doublequotes inside the string, like so:
The backslash will tell the compiler to ignore the "meaning" of the folowing doublequote, and treat it like a normal character (This is what we call "Escaping").
Also check out
mysql_real_escape_string()
when working with user input (This will automatically escape all dangerous elements in strings for use in a mySQL Database).哈哈
还没有阅读整个问题,但我确信我知道答案,
它会被插入数据库,然后检索,然后进入 HTML 表单的字段值... ;-)
好吧,说真的。
您必须一步步遵循您的数据。
您的应用程序中有一些邪恶的代码,它们会产生一些邪恶的东西。
您必须跟踪数据流并检查它在哪个阶段被破坏
只需按以下步骤打印数据即可:
这是您的常见错误:您将多阶段过程视为一个步骤。
您会看到字符串被插入到文本区域中,下次您在该文本区域中看到它被截断时。而您认为这是数据库问题。虽然您不能那么确定 - 有许多步骤不涉及数据库。将您的应用程序视为多阶段过程,而不是一个实体块。
LOL
haven't read whole question but I am sure I know the answer
it's being inserted into database all right, then retrieved all right, and then goes into HTML form's field value... ;-)
Well, seriously.
You have to follow your data step by step.
There is some evil code in your application, that makes some evil things.
You have to follow your data flow and check at what stage it gets spoiled
Just print your data out at these steps:
That's your general fault: you take multi-stage process as a single step.
You watch your string being inserted into textarea and next time you see it in this textarea truncated. And you think it's database issue. While you cannot be so sure - there are many steps where database isn't involved. Watch your app as not a solid block but as multiple stage process.
使用函数
mysql_real_escape_string()
< /a> 如果它来自用户输入。Use the function
mysql_real_escape_string()
if it's coming from user input.感谢 Agauin 让我自己去骂。有时
我有必要回应 $_POST['description'] ,这显示为
使用,当我使用时
它给了我完整的字符串
Thanks Agauin for making me scould myself.. sometimes its necessary
i echoed the $_POST['description'] and this displayed as
and when i used
It gave me complete string
你需要转义你的引号。
如果您的数据库是 MySQL,请在将所有数据保存到数据库之前通过
mysql_real_escape_string()
函数传递它们。如果您不这样做,您的代码将面临重大安全漏洞的风险,而不仅仅是数据丢失!
(如果您还没有这样做,您还应该出于其他目的转义其他数据;例如,应该转义发送回浏览器的数据,以防止恶意用户向其中添加原始 HTML 或 Javascript 代码来操纵您的数据) PHP
中有许多函数可以处理添加和删除转义字符以及数据过滤,如果您希望您的站点安全,您需要学习这些函数和技术
[编辑]
在看到您的编辑后
:您需要转义查询中的所有字符串,而不仅仅是描述,因此将转义添加到
$_POST['logoimage1']
等,因为如果其中任何一个包含 。但是,描述字段上的转义看起来是正确的,所以我不知道为什么它会被截断
mysql_real_escape_string()
声明它转义双引号和单引号,所以它应该适合你。您可以通过 print()ing 完全转义的 SQL 字符串来测试这一点;这将显示是否还有任何未转义的内容。在黑暗中拍摄 - 您检查过数据库中描述字段的最大长度吗?这也可能导致字符串截断……不过不太可能;我想如果您使用文本区域输入,您会将其设置得足够长。
You need to escape your quotes.
If your DB is MySQL, pass all your data through the
mysql_real_escape_string()
function before saving them to the DB.If you don't do this, you risk major security holes in your code, not just data going missing!
(in case you aren't doing it already, you should also be escaping other data for other purposes as well; eg data being sent back to the browser should be escaped to prevent rogue users adding raw HTML or Javascript code to it to manipulate your site.
There are a number of functions in PHP to deal with adding and removing escape characters and data filtering. If you want your site to be secure, you need to learn these functions and techniques.
[edit]
After seeing your edit:
Firstly, you need to escape all the strings in your query, not just the description, so add escaping to
$_POST['logoimage1']
, etc, as you'll have the same problems if any of those contain quotes.However the escaping on the description field looks correct so I don't know why it would be truncated. The man page for
mysql_real_escape_string()
states that it escapes double and single quotes, so it should be okay for you. You can test this by print()ing the fully escaped SQL string; this will show if there's anything left unescaped.Shot in the dark - have you checked the maximum length of your description field in the database? That could also cause string truncation.. unlikely though; I imagine if you're inputting with a textarea you'll have set it up to be long enough.