[英]MySQL Query not inserted when PHP variable contains single quotes
This query not inserted when variable $subject has single quotes.当变量 $subject 具有单引号时,不会插入此查询。 Is there any possible solution available?
有没有可能的解决方案?
mysql_query("INSERT INTO table (to_email_id,subject) values('$to','$subject');");
Consider using Parameterized Queries using PDO for example. 例如,考虑使用使用PDO的参数化查询。
Alternately, enclose your variables in brackets { }. 或者,将变量放在方括号{}中。
Edit: 编辑:
I missed that your variable $subject
contains single quotes. 我错过了您的变量
$subject
包含单引号。 This means you have to escape them. 这意味着您必须逃脱它们。 (See the myriad of other answers and
mysql_real_escape_string()
about this.) But as you can see, single quotes inside the variable is exactly how injection attacks work. (有关此问题,请参见无数其他答案和
mysql_real_escape_string()
。)但是正如您所看到的,变量内的单引号正是注入攻击的工作方式。 Escaping them helps prevent such problems as well as allow your query to store the expected data. 转义它们有助于防止此类问题,并允许您的查询存储期望的数据。
No answer about injection attacks is complete without referencing Bobby Tables . 如果不参考Bobby Tables,关于注入式攻击的答案是不完整的。
Escape your parameters. 转义您的参数。
$to = mysql_real_escape_string($to);
$subject = mysql_real_escape_string($subject);
mysql_query("INSERT INTO table (to_email_id, subject) values('$to', '$subject');");
Manual: mysql_real_escape_string()
手册:
mysql_real_escape_string()
Also, please read about SQL injection attacks . 另外,请阅读有关SQL注入攻击的信息 。
Your query will be returning a 1064 error which is a syntax error within your query. 您的查询将返回1064错误,这是查询中的语法错误。 This is happening because the variables, specifically $subject in the case of the question is altering the format of your enclosed string.
之所以发生这种情况,是因为变量(特别是在问题中为$ subject)正在更改封闭字符串的格式。 For example, let's say we have
例如,假设我们有
$subject = "fire's hotter than it looks";
When this is evaluated in your query your query string will be 在查询中评估此值后,您的查询字符串将为
INSERT INTO table (to_email_id,subject)
VALUES('the value of the to variable','fire's hotter than it looks');
If you look at the second item in the values, which was once $subject, you'll notice you now have an uneven number of apostrophes meaning that the end of your query '); 如果您看一下值中的第二个项目,它曾经是$ subject,那么您会注意到现在撇号的数量是不均匀的,这意味着查询的结尾');。 is an open string.
是一个开放的字符串。
As commented above use a function such as mysql_real_escape_string() to add the missing slashes. 如上所述,请使用mysql_real_escape_string()之类的函数添加缺少的斜杠。
Quick note: adding slashes to characters such as " and ' (\\", \\'). 快速说明:在诸如“和'(\\”,\\')之类的字符上添加斜杠。 tells mysql to interpret these as string characters instead of query string delimiters.
告诉mysql将它们解释为字符串字符,而不是查询字符串定界符。
You need to use mysql_real_escape_string()
on your values $to
and $subject
您需要在
$to
和$subject
值上使用mysql_real_escape_string()
Also if you weren't doing this before you are open to sql injection 另外,如果您在进行sql注入之前未进行此操作
Your query has a great "hole" -> SQL injection. 您的查询有一个很大的“漏洞”-> SQL注入。 You should read more about this here: http://en.wikipedia.org/wiki/SQL_injection and also here http://php.net/manual/en/function.mysql-real-escape-string.php
您应该在这里阅读更多有关此的信息: http : //en.wikipedia.org/wiki/SQL_injection以及http://php.net/manual/en/function.mysql-real-escape-string.php
To make a short answer you must "escape" values passed to mysql. 要简短回答,您必须“转义”传递给mysql的值。 Best way to do it is with using mysql_real_escape_string function.
最好的方法是使用mysql_real_escape_string函数。
$query = sprintf("mysql_query("INSERT INTO table (to_email_id,subject) values('%s', '%s');", mysql_real_escape_string($to),mysql_real_escape_string($subject));
mysql_query($query);
I hope this will help you. 我希望这能帮到您。
if you are using 如果您正在使用
(all book's are available) as $subject and you are trying to insert in to mysql (所有书籍都可用)作为$ subject,并且您尝试插入mysql
use this 用这个
$disc_str = addslashes($subject);
"INSERT INTO table name (subject) value('$disc_str')"; “插入表名称(主题)值('$ disc_str')”;
it works for me in Textarea with tinymce also 它也与tinymce在Textarea中对我有效
Solution is very simple.解决方法很简单。 Just add below method before storing your data into php variable
在将数据存储到 php 变量之前,只需添加以下方法
$connection = mysqli_connect($host,$dbuser,$dbpass,$dbname);
$to= mysqli_real_escape_string($connection, $old_email);
$subject= mysqli_real_escape_string($connection, $old_subject)
$query = "INSERT INTO table (to_email_id,subject) values('$to','$subject');";
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.