Mysql + php 包含特殊字符,如 '(撇号) 和 " (引号)

发布于 2024-10-11 14:45:07 字数 769 浏览 9 评论 0 原文

我已经被一个小问题困扰了一段时间。它已经存在很多年了,但它只是一个令人恼火的问题,而不是一个严重的问题,我刚刚解决了它。但现在我想知道是否有人可以帮助我。我已经做了一些谷歌搜索但没有成功。

如果我从 php 文件中的 html 文本区域发送表单,如下所示:

<form action="http://action.com" method="post">
<textarea name="text"><a href="http://google.com">google's site</a></textarea>
</form>

当然还有一个提交按钮等等。

值是问题所在: google's site textarea 的值同时具有 "(引号) 和 '(撇号)。

为了将其保存在 mysql_database 中,我这样做:

$result = mysql_query("INSERT INTO `table` (`row1`) VALUES ('".$_POST['text']."') ") or die(mysql_error());

现在我收到 mysql 错误:

您的 SQL 语法有错误;检查与您的 MySQL 服务器版本相对应的手册,了解在第 1 行使用“near 's site”的正确语法

I have been struggling with a small problem for a while. It's been there for years but it's just been an irritating problem and not a serious one, and I have just worked around it. But now I want to find out if anyone can help me. I have done some google'ing but no success.

If I do a form post from a html textarea in a php file like this:

<form action="http://action.com" method="post">
<textarea name="text"><a href="http://google.com">google's site</a></textarea>
</form>

and of course there is a submit button and so on.

The value is the problem: <a href="http://google.com">google's site</a> The value of the textarea have both "(Quotation mark) and '(Apostrophe).

To save this in a mysql_database I do this:

$result = mysql_query("INSERT INTO `table` (`row1`) VALUES ('".$_POST['text']."') ") or die(mysql_error());

And now I get the mysql error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's site'' at line 1

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(8

李不 2024-10-18 14:45:07

您的 sql 字符串将是:

INSERT INTO `table` (`row1`) VALUES ('google's site')

这不是有效的语句。正如 Nanne 所写,至少使用 mysql_real_escape_string 转义字符串: http:// /php.net/manual/en/function.mysql-real-escape-string.php

并阅读有关sql注入的内容
http://en.wikipedia.org/wiki/SQL_injection

想一想:如果有人发布此内容:$_POST['text'],值为:');delete from table;....

您可以对数据说再见了:)

始终过滤/转义输入!

编辑:从 PHP 5.5.0 开始,mysql_real_escape_string 和 mysql 扩展已被弃用。请改用 mysqli 扩展和 mysqli::escape_string 函数

Your sql string will be:

INSERT INTO `table` (`row1`) VALUES ('google's site')

Which is not a valid statement. As Nanne wrote, escape the string at least with mysql_real_escape_string : http://php.net/manual/en/function.mysql-real-escape-string.php

And read about sql injection
http://en.wikipedia.org/wiki/SQL_injection

Think a bit: if someone posts this: $_POST['text'] with value: ');delete from table;....

Your can say good bye to your data :)

Always filter/escape input!

EDIT: As of PHP 5.5.0 mysql_real_escape_string and the mysql extension are deprecated. Please use mysqli extension and mysqli::escape_string function instead

白衬杉格子梦 2024-10-18 14:45:07

将用户提供的值添加到数据库时,始终至少使用 mysql_real_escape_string。您应该查看绑定参数或 mysqli,以便您的查询将变为:

INSERT INTO `table` (`row1`) VALUES (?)

And ?清理输入后将被实际值替换。

在您的情况下,请使用:

$result = mysql_query("INSERT INTO `table` (`row1`) VALUES ('".mysql_real_escape_string($_POST['text'])."') ") or die(mysql_error());

阅读 SQL 注入。尽快做正确的事是值得的!

Always at least use mysql_real_escape_string when adding user-provided values into the Database. You should look into binding parameters or mysqli so your query would become:

INSERT INTO `table` (`row1`) VALUES (?)

And ? would be replaced by the actual value after sanitizing the input.

In your case use:

$result = mysql_query("INSERT INTO `table` (`row1`) VALUES ('".mysql_real_escape_string($_POST['text'])."') ") or die(mysql_error());

Read up on SQL Injection. It's worth doing right ASAP!

十六岁半 2024-10-18 14:45:07

您可以使用addslashes()函数。它用斜杠引用字符串。因此,当您在您的领域中添加任何撇号时,它将非常有用。

$result = mysql_query("INSERT INTO `table` (`row1`) VALUES ('".addslashes($_POST['text'])."') ") or die(mysql_error());

you can use addslashes() function. It Quote string with slashes. so, it will be very useful to you when you are adding any apostrophe in your field.

$result = mysql_query("INSERT INTO `table` (`row1`) VALUES ('".addslashes($_POST['text'])."') ") or die(mysql_error());
乄_柒ぐ汐 2024-10-18 14:45:07

不使用旧的 mysql* 函数,而是使用 PDO 并编写参数化查询 - http://php.net/pdo

instead of using the old mysql* functions, use PDO and write parameterized queries - http://php.net/pdo

無處可尋 2024-10-18 14:45:07

我在mysql更新数据的时候也在为字符而苦恼。

但我终于得到了一个更好的答案,这里是:

$lastname = "$_POST["lastname"]"; //lastname is : O'Brian, Bran'storm

当你要更新数据库时,系统不会更新它,除非你使用 MySQL REAL 转义字符串。
这里:

$lastname = mysql_real_escape_string($_POST["lastname"]);  // This Works Always.

那么你的查询肯定会更新。

Example: mysql_query("UPDATE client SET lastname = '$lastname' where clientID = '%"); //This will update your data and provide you with security.

有关更多信息,请查看 MYSQL_REAL_ESCAPE_STRING

希望这有帮助

I was also Struggling about characters when I was updating data in mysql.

But I finally came to a better answer, Here is:

$lastname = "$_POST["lastname"]"; //lastname is : O'Brian, Bran'storm

And When you are going to update your database, the system will not update it unless you use the MySQL REAL Escape String.
Here:

$lastname = mysql_real_escape_string($_POST["lastname"]);  // This Works Always.

Then you query will update certainly.

Example: mysql_query("UPDATE client SET lastname = '$lastname' where clientID = '%"); //This will update your data and provide you with security.

For More Information, please check MYSQL_REAL_ESCAPE_STRING

Hope This Helps

空城旧梦 2024-10-18 14:45:07

只需使用准备好的语句,您就不必担心转义或 SQL 注入。

$con = <"Your database connection">;
$input = "What's up?";
$stmt = $con->prepare("insert into `tablename` (`field`)values(?)");
$stmt->bind_param("s",$input);
$stmt->execute();

Just use prepared statements and you wouldn't have to worry about escaping or sql injection.

$con = <"Your database connection">;
$input = "What's up?";
$stmt = $con->prepare("insert into `tablename` (`field`)values(?)");
$stmt->bind_param("s",$input);
$stmt->execute();
拥有 2024-10-18 14:45:07

如果您使用的是php版本> 5.5.0 那么你必须像这样使用

$con = new mysqli("localhost", "your_user_name", "your_password", "your_db_name");

if ($con->query("INSERT into myCity (Name) VALUES ('".$con->real_escape_string($city)."')")) {
    printf("%d Row inserted.\n", $con->affected_rows);
}

If you are using php version > 5.5.0 then you have to use like this

$con = new mysqli("localhost", "your_user_name", "your_password", "your_db_name");

if ($con->query("INSERT into myCity (Name) VALUES ('".$con->real_escape_string($city)."')")) {
    printf("%d Row inserted.\n", $con->affected_rows);
}
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文