将HTML存储到MySQL数据库中
[英]Store HTML into MySQL database
问题描述
I'm trying to store a String which contains HTML in a MySQL database using Longtext data type. 
我正在尝试使用Longtext数据类型在MySQL数据库中存储包含HTML的String 。 But it always says "You have an error in your SQL syntax". 但是它总是说“您的SQL语法有错误”。 I tried to store a normal String and it works. 我试图存储一个普通的String ,它的工作原理。
Update : 更新 :
This is the query: 这是查询:
st.executeUpdate("insert into website(URL,phishing,source_code,active) values('" + URL + "','" + phishingState + "','" + sourceCode + "','" + webSiteState + "');");
I'm using Java. 我正在使用Java。
4 个解决方案
解决方案1
8 2010-04-14 22:55:21
Strings in a SQL query are -usually- surrounded by singlequotes. SQL查询中的字符串通常用单引号引起来。 Eg 例如
INSERT INTO tbl (html) VALUES ('html');
But if the HTML string itself contains a singlequote as well, it would break the SQL query: 但是,如果HTML字符串本身也包含一个单引号,它将破坏SQL查询:
INSERT INTO tbl (html) VALUES ('<form onsubmit="validate('foo', 'bar')">');
You already see it in the syntax highlighter, the SQL value ends right before foo and the SQL interpreter can't understand what comes thereafter. 您已经在语法突出显示器中看到了它,SQL值恰好在foo之前结束,并且SQL解释器无法理解其后的内容。 SQL Syntax Error! SQL语法错误!
But that's not the only, it also puts the doors wide open for SQL injections ( examples here ). 但是,这不是唯一的,但也可能使大开大阖的SQL注入 ( 例子在这里 )。
You'll really need to sanitize the SQL during constructing the SQL query. 在构造SQL查询期间,您确实需要清理SQL。 How to do it depends on the programming language you're using to execute the SQL. 如何执行取决于您用来执行SQL的编程语言。 If it is for example PHP, you'll need mysql_real_escape_string() : 如果是PHP,则需要mysql_real_escape_string() :
$sql = "INSERT INTO tbl (html) VALUES ('" . mysql_real_escape_string($html) . "')";
An alternative in PHP is using prepared statements , it will handle SQL escaping for you. PHP中的一种替代方法是使用预处理语句 ,它将为您处理SQL转义。
If you're using Java ( JDBC ), then you need PreparedStatement : 如果您使用的是Java( JDBC ),则需要PreparedStatement :
String sql = "INSERT INTO tbl (html) VALUES (?)";
preparedStatement = connection.prepareStatement(sql);
preparedStatement.setString(1, html);
Update : it turns out that you're actually using Java. 更新 :事实证明您实际上是在使用Java。 You'll need to change the code as follows: 您需要按以下方式更改代码:
String sql = "INSERT INTO website (URL, phishing, source_code, active) VALUES (?, ?, ?, ?)";
preparedStatement = connection.prepareStatement(sql);
preparedStatement.setString(1, URL);
preparedStatement.setString(2, phishingState);
preparedStatement.setString(3, sourceCode);
preparedStatement.setString(4, webSiteState);
preparedStatement.executeUpdate();
Don't forget to handle JDBC resources properly. 不要忘记正确处理JDBC资源。 You may find this article useful to get some insights how to do basic JDBC stuff the proper way. 您可能会发现本文很有用,可以帮助您深入了解如何以正确的方式进行基本的JDBC操作。 Hope this helps. 希望这可以帮助。
解决方案2
2 2010-04-14 22:47:47
Try using mysql_real_escape_string function on the string you want to store. 尝试在要存储的字符串上使用mysql_real_escape_string函数。 It is the easiest way. 这是最简单的方法。
解决方案3
1 2010-04-14 22:46:22
您需要先对字符串进行转义,然后再将其插入数据库。
解决方案4
1 2010-04-14 22:46:53
Difficult to say without seeing the query. 不见查询就很难说。 Can you post it? 你可以张贴吗?
I'm presuming there's some part of the html string that needs escaping, which maybe you missed? 我假设html字符串的某些部分需要转义,也许您错过了?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.