MySQL PHP 变量包含单引号时未插入查询

Question

This query not inserted when variable $subject has single quotes. Is there any possible solution available?

mysql_query("INSERT INTO  table  (to_email_id,subject) values('$to','$subject');");

Answer 1

Consider using Parameterized Queries using PDO for example.

Alternately, enclose your variables in brackets { }.

Edit:

I missed that your variable $subject contains single quotes. This means you have to escape them. (See the myriad of other answers and mysql_real_escape_string() about this.) But as you can see, single quotes inside the variable is exactly how injection attacks work. Escaping them helps prevent such problems as well as allow your query to store the expected data.

No answer about injection attacks is complete without referencing Bobby Tables .

Answer 2

Escape your parameters.

$to = mysql_real_escape_string($to);
$subject = mysql_real_escape_string($subject);
mysql_query("INSERT INTO  table (to_email_id, subject) values('$to', '$subject');");

Manual: mysql_real_escape_string()

Also, please read about SQL injection attacks .

Answer 3

Your query will be returning a 1064 error which is a syntax error within your query. This is happening because the variables, specifically $subject in the case of the question is altering the format of your enclosed string. For example, let's say we have

$subject = "fire's hotter than it looks";

When this is evaluated in your query your query string will be

INSERT INTO  table  (to_email_id,subject) 
     VALUES('the value of the to variable','fire's hotter than it looks');

If you look at the second item in the values, which was once $subject, you'll notice you now have an uneven number of apostrophes meaning that the end of your query '); is an open string.

As commented above use a function such as mysql_real_escape_string() to add the missing slashes.

Quick note: adding slashes to characters such as " and ' (\\", \\'). tells mysql to interpret these as string characters instead of query string delimiters.

Answer 4

You need to use mysql_real_escape_string() on your values $to and $subject

Also if you weren't doing this before you are open to sql injection

Answer 5

USE

mysql_real_escape_string

Answer 6

Your query has a great "hole" -> SQL injection. You should read more about this here: http://en.wikipedia.org/wiki/SQL_injection and also here http://php.net/manual/en/function.mysql-real-escape-string.php

To make a short answer you must "escape" values passed to mysql. Best way to do it is with using mysql_real_escape_string function.

$query = sprintf("mysql_query("INSERT INTO  table  (to_email_id,subject) values('%s', '%s');", mysql_real_escape_string($to),mysql_real_escape_string($subject));
mysql_query($query);

I hope this will help you.

Answer 7

if you are using

(all book's are available) as $subject and you are trying to insert in to mysql

use this

$disc_str = addslashes($subject);

"INSERT INTO table name (subject) value('$disc_str')";

it works for me in Textarea with tinymce also

Answer 8

Solution is very simple. Just add below method before storing your data into php variable

$connection = mysqli_connect($host,$dbuser,$dbpass,$dbname);
$to= mysqli_real_escape_string($connection, $old_email);
$subject= mysqli_real_escape_string($connection, $old_subject)


$query = "INSERT INTO  table  (to_email_id,subject) values('$to','$subject');";