mysql_real_escape_string 问题
如果我输入
'
进入我的搜索栏,我得到一个mysql错误,因为“刺”还没有被转义——它认为。
但我无法逃避它的原因是因为我认为它目前不是一个字符串。
搜索框使用ajax动态生成搜索结果,就像我输入的那样,它发现我收到错误的结果:
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '%' OR Location
LIKE '%'%' OR Map LIKE '%'%' LIMIT 0, 16' at line 2
这是mysql查询:
<?php
if($_POST['q']!=""){
include $_SERVER['DOCUMENT_ROOT'] . "/include/datebasecon.php";
$result = mysql_query("
SELECT id, Name, Location, Map
FROM Accommodation WHERE Name LIKE '%".$_POST['q']."%' OR Location LIKE '%".$_POST['q']."%' OR Map LIKE '%".$_POST['q']."%' LIMIT 0, 16")
or die(mysql_error());
$output = "";
while($row = mysql_fetch_array($result)){
$N = preg_replace("/(".$_POST['q'].")/i","<span>$1</span>",$row['Name']);
$L = preg_replace("/(".$_POST['q'].")/i","<span>$1</span>",$row['Location']);
$M = preg_replace("/(".$_POST['q'].")/i","<span>$1</span>",$row['Map']);
$output .= "<p>".$N." - ".$L."</p>";
}
print $output;
}
?>
无论如何我可以在发布查询后解决这个问题吗?
If I type
'
into my search bar I get a mysql error as the "sting" has not been escaped- it think.
But the reason why I cant escape it is because I dont think it currently is a string.
the search box generates search results dynamically with ajax it is as I type and it finds the results that I get the error:
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '%' OR Location
LIKE '%'%' OR Map LIKE '%'%' LIMIT 0, 16' at line 2
This is the mysql query:
<?php
if($_POST['q']!=""){
include $_SERVER['DOCUMENT_ROOT'] . "/include/datebasecon.php";
$result = mysql_query("
SELECT id, Name, Location, Map
FROM Accommodation WHERE Name LIKE '%".$_POST['q']."%' OR Location LIKE '%".$_POST['q']."%' OR Map LIKE '%".$_POST['q']."%' LIMIT 0, 16")
or die(mysql_error());
$output = "";
while($row = mysql_fetch_array($result)){
$N = preg_replace("/(".$_POST['q'].")/i","<span>$1</span>",$row['Name']);
$L = preg_replace("/(".$_POST['q'].")/i","<span>$1</span>",$row['Location']);
$M = preg_replace("/(".$_POST['q'].")/i","<span>$1</span>",$row['Map']);
$output .= "<p>".$N." - ".$L."</p>";
}
print $output;
}
?>
Is there anyway i can fix this after its post the query maybe?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
当
magic_quotes_gpc关闭时(应该如此!),$_POST['q']只是字符串',只是一个字符。这就是为什么它会出现在您的 SQL 代码中,如下所示:错误发生在
'%'%'处,因为LIKE字符串被过早终止。您只需在
$_POST['q']上使用mysql_real_escape_string()即可转义:When
magic_quotes_gpcis off (as it should be!),$_POST['q']is simply the string', as just one character. That's why it's appearing in your SQL code like this:The error takes place at
'%'%'because theLIKEstring is being prematurely terminated.You can just use
mysql_real_escape_string()on$_POST['q']and it'll be escaped:你写了“我认为它目前不是一个字符串”......它是一个字符串。您可以将其传递给
mysql_real_escape_string()并使用结果来使您的查询安全可靠。您的脚本通过$_POST、$_GET、$_REQUEST和$_COOKIE参数接收到的所有内容都可以用作字符串,但它是一个数组。You wrote "I dont think it currently is a string"... it is a string. You can pass it to
mysql_real_escape_string()and use the result to make your query secure and reliable. Everything your script receives by the$_POST,$_GET,$_REQUESTand$_COOKIEparams can be used as string, except it is an array.为了让你明白。
查看您的查询:
记下您用来分隔搜索字符串的撇号。
这些撇号确实意味着内部的数据是一个字符串。
您在查询中放入引号的所有内容都是一个字符串。
您在查询中放入引号的所有内容都必须转义。
无需思考、考虑或估计。规则简单且明确:引用的文本应始终转义。
To make you understand.
Look at your query:
note apostrophes you have used to delimit search string.
These apostrophes does mean that data inside IS a string.
Everything you put in quotes into query is a string.
Everything you put in quotes into query must be escaped.
No need to think, consider or estimate. The rule is simple and unambiguous: quoted text should be always escaped.