删除所有不需要的字符

Question

I am using the following code to strip out unwanted characters but it is not stripping out everything and throwing a MySQL error:

    $commentmessage = strip_tags($commentmessage);
    $commentmessage = htmlentities($commentmessage, ENT_QUOTES);

What code would I use to strip out anything that might cause a MySQL error?

The message I am receiving is:

Error message: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'omg thats the one". One of the logo's we really liked was 1049859 where the f' at line 2**

Answer 1

Evidently you're building your query like so:

$query = "INSERT INTO foo VALUES ('$bar')";

which is breaking because the text of $bar contains single quotes. '

No. *hits you with a rolled-up newspaper* Bad developer.

I could just throw you a string escaping function, or I could show you to do it right like:

$bar = "I am a problematic string!'; DROP TABLE USERS -- "
$query = "INSERT INTO foo VALUES (?)";
$stmt = $dbh->prepare($query);
$stmt->execute(array($bar));

Or:

$bar = "I am a problematic string!'; DROP TABLE USERS -- "
$query = "INSERT INTO foo VALUES (:bar)";
$stmt = $dbh->prepare($query);
$stmt->execute(array('bar'=>$bar));

When you prepare a query like this PHP/PDO/MySQL get together and pre-agree on what types your placeholders are. So your strings are treated like strings without the need for escaping characters. This both prevents rogue single quotes from breaking your query, and help protect you from SQL injection attacks.

You can also re-use prepared statements to increase performance: [relative to un-prepared statements since the SQL only needs to be parsed once, rather than once per query]

$query = "INSERT INTO foo VALUES (?)";
$stmt = $dbh->prepare($query);
foreach( $bars as $bar ) {
  $stmt->execute(array($bar));
}