堆栈内存溢出
  简体   繁体   English

通过PHP将花括号发送到MySQL

[英]Sending curly braces via PHP to mySQL

 原文  2014-10-03 14:12:32       php/ mysql/ braces

问题描述

First of all, I know it's not how it's supposed to be. 首先,我知道这不是应该的样子。 But the system has been setup like this so I have to try and work with it. 但是系统已经这样设置,所以我必须尝试使用​​它。

I have a column of entries in a mySQL table that look like this {12}-{32} and so forth. 我在mySQL表中有一列条目,看起来像这样的{12}-{32},依此类推。 12 is the id of the brand of a car, 32 the model. 12是汽车品牌的ID,32是车型的ID。

Now I have to create a query in PHP where a part of it is like this: (PD1.fieldValue = '{". $_SESSION['carId'] ."}-{". $_SESSION['carModelId'] ."}' 现在,我必须在PHP中创建查询,查询的一部分是这样的: (PD1.fieldValue = '{". $_SESSION['carId'] ."}-{". $_SESSION['carModelId'] ."}'

Guess what, that doesnt work with curly braces ofcourse. 猜猜是什么,这当然不适用于花括号。 The SESSION part is completely empty (yes, they have a value outside the query). SESSION部分完全为空(是的,它们在查询之外具有一个值)。

Is there anyway to fix this so I still can send the variables inside the braces to mySQL? 无论如何,有什么办法可以解决这个问题,所以我仍然可以将括号内的变量发送到mySQL?

1 个解决方案

解决方案1
 3 已采纳  2014-10-03 14:23:23

Whenever you find yourself having trouble getting some characters into your database, that is a strong hint that your database code is insecure and vulnerable to SQL injection. 每当您发现自己无法在数据库中输入一些字符时,就很明显地表明数据库代码不安全并且容易受到SQL注入的攻击。 You have to take a step back and look a little more broadly, thinking "What are all of the possible characters that aren't being escaped properly?" 您必须退后一步,放宽视野,思考“没有正确转义的所有可能字符是什么?” Luckily, you don't have to actually know. 幸运的是,您不必真正知道。 You just need to use the built-in escape functions. 您只需要使用内置的转义功能。

The ideal solution is to use placeholders. 理想的解决方案是使用占位符。 The syntax depends on what database API you're using (mysqli, or PDO; deprecated mysql doesn't support them). 语法取决于您使用的数据库API(mysqli或PDO;不建议使用的mysql不支持它们)。 There exist many excellent resources on how to use placeholders; 关于如何使用占位符,存在许多出色的资源。 this is the first result I pulled from Google and it looks right to me . 这是我从Google获得的第一个结果,对我来说似乎很正确

The somewhat less ideal solution is to use the real_escape_string function for your database API. 不太理想的解决方案是对数据库API使用real_escape_string函数。 Example for either mysqli or mysql : mysqlimysql示例: 

// Using heredoc syntax, you can clean up your queries like so.
$sql_template = <<<SQL
  SELECT
    PC.id AS cId,
    P.id AS pId
  FROM PAGE_CATALOG P
    LEFT JOIN PAGE_CATALOG_CONFIG PC ON (PC.id = P.cId)
  WHERE PD1.fieldValue = '%s'
    AND P.productCode REGEXP '%s'
    AND PC.id = '1'
    AND P.enabled = '1'
  GROUP BY P.id
  ORDER BY P.productVolgorde ASC
  LIMIT 0, 10
SQL;

// For mysqli:
// $mysqli = new mysqli(...)
$sql = sprintf(
  $sql_template,
  $mysqli->real_escape_string('{' . $_SESSION['carId'] . '}-{' . $_SESSION['carModelId'] . '}'),
  $mysqli->real_escape_string($MAL_TYPE)
);
$result = $mysqli->query($sql);
// For mysql:
$sql = sprintf(
  $sql_template,
  mysql_real_escape_string('{' . $_SESSION['carId'] . '}-{' . $_SESSION['carModelId'] . '}'),
  mysql_real_escape_string($MAL_TYPE)
);
$result = mysql_query($sql);

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 axios 帖子和 php 发送花括号数组 - Sending array of curly braces with axios post and php PHP语法-花括号 - PHP Syntax - Curly braces PHP大括号成数组 - php curly braces into array PHP格式花括号 - php formatting curly braces PHP中字符串中的花括号 - Curly braces in string in PHP PHP中的花括号符号 - Curly Braces Notation in PHP 双花括号在PHP MySQL语句中是什么意思? - What do the double curly braces mean in a PHP MySQL statement? PHP:用方括号转换花括号 - PHP: Converting curly braces with square braces 如何在PHP中删除花括号 - how to remove curly braces in php PHP花括号替换值 - php curly braces replace values
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM