使用撇号在PHP查询中搜索术语
[英]search terms in a PHP query with apostrophes
问题描述
I've been looking through a bunch of topics but haven't found anything that works yet - or maybe it does, but I'm pretty new to PHP/MySQL, so maybe I'm just missing something. 
我一直在浏览一些主题,但还没有找到任何有用的东西 - 或许它确实如此,但我对PHP / MySQL很新,所以也许我只是遗漏了一些东西。
I've got a page that allows users to type in the name of an item to look it up in the (MySQL) database. 我有一个页面,允许用户输入项目的名称,以便在(MySQL)数据库中查找它。 It then generates a table of results and displays those, and turns some of the data into links. 然后它生成一个结果表并显示它们,并将一些数据转换为链接。 The linked terms are then used as queries to search other fields of the database. 然后将链接的术语用作查询以搜索数据库的其他字段。
Everything works... except when one of the search terms contains an apostrophe. 一切正常......除非其中一个搜索词包含撇号。 Obviously I want to prevent injection issues, but I also need to search with the apostrophes. 显然我想防止注入问题,但我还需要用撇号进行搜索。 Here's the code I have: 这是我的代码:
$query = mysql_real_escape_string($query);
$query = htmlspecialchars($query);
$queryentered = $query;
$query = strtolower($query);
And here's the URL that's it's passing to the query: 这是传递给查询的URL:
echo " from <a href='index.php?volume=".$results2['book']."' class='where'>"
.$results2['book']."</a>";
And the query: 和查询:
$raw_results = mysql_query("SELECT * FROM $database1 WHERE $wh LIKE '%$query%'
ORDER BY displayname") or die(mysql_error());
What am I not encoding right? 我编码的是什么? When I run a search, it displays "No results found for [search term]", where I'm getting \\' for any apostrophes. 当我运行搜索时,它显示“找不到[搜索词]的结果”,其中我得到了任何撇号。
3 个解决方案
解决方案1
2 2012-11-12 03:33:35
This snippet is in exactly the wrong order: 此代码段完全错误:
$query = mysql_real_escape_string($query);
$query = htmlspecialchars($query);
$queryentered = $query;
$query = strtolower($query);
Escaping should be done last, right before the database query string concatenation. 应该在数据库查询字符串连接之前的最后一次执行转义。 In this case it's irrelevant as strtolower does not undo the escaping. 在这种情况下,它无关紧要,因为strtolower不会撤消转义。 More severe is actually the HTML escaping, which does not belong in SQL context. 更严重的是HTML转义,它不属于SQL上下文。 Don't overwrite your main variable, instead: 不要覆盖主变量,而是:
$queryentered = htmlspecialchars($query);
$query = strtolower($query);
$query = mysql_real_escape_string($query);
The cumbersome database escaping, btw, is easy to avoid. 繁琐的数据库逃逸,顺便说一句,很容易避免。 Look into PDO and prepared statements . 查看PDO和准备好的陈述 。
解决方案2
1 2012-11-12 03:30:24
I'd STRONGLY recommend using prepared statements and the PDO library. 我强烈建议使用预准备语句和PDO库。
- Really easy to learn 真的很容易学习
- Will make your question easier to solve 将使您的问题更容易解决
- Works with (most) any database 适用于(大多数)任何数据库
- Goes a long way to prevent the injection issues you mention 在很长的路要走,以防止您提到的注射问题
- Skill set will be applicable to other languages you may learn 技能组合适用于您可能学习的其他语言
All you have to do is write the query, then prepare a connection string (with the database type and details) and then fire off the query. 您所要做的就是编写查询,然后准备一个连接字符串(包含数据库类型和详细信息),然后触发查询。 An array of parameters is sent with the query, to decouple the data. 随查询一起发送参数数组以解耦数据。
Helpful links: 有用的网址:
http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/ http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
解决方案3
1 2012-11-12 03:34:25
problem is in this line: 问题在于这一行:
$query = htmlspecialchars($query);
If you search for Death's book your final $query would be death\\'s book ! 如果你搜索Death's book你的最终$query将是death\\'s book ! By removing htmlspecialchars your query would be fine! 通过删除htmlspecialchars您的查询将没事!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.