stackoom
  简体   繁体   中英

SQL query with encoded input parameter returns empty result in MySQL

 原文  2014-08-06 08:38:55       php/ mysql/ sql/ mysql-real-escape-string

Question

I want to fetch a spare part from MySql (yii framework). Some part titles contain ' , for ex.: OUTLANDER '03-06 For securty reason i encode query string parameter thru htmlspecialchars() (converts special characters to HTML entities) to become query like this: 

SELECT *
FROM assortment
WHERE title LIKE "%OUTLANDER '03-06 %"
LIMIT 0 , 10

yet this yields an empty result .

While if i only escape ' by addign slash, such a query works: 

SELECT *
FROM assortment
WHERE title LIKE "%OUTLANDER \'03-06 %"
LIMIT 0 , 10

What's the problem? Do i still need to apply htmlspecialchars() to input parameters to make them safe HTML entities cause of security reasons, what would be a solution?

2 answers

solution1
 0 ACCPTED  2014-08-06 08:49:32

I think you have to use " mysql_real_escape_string() " instead.

Ref: http://www.w3schools.com/php/func_mysql_real_escape_string.asp

solution2
 0  2014-08-06 08:51:49

The function htmlspecialchars() does not meant to escape string in queries. You should use one of these functions:

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SQL query returns empty result MySql query in php only returns the last result when encoded in json Empty result from sql query in codeigniter mysql Mysql “AS” returns empty result when using “UNION” mysql query Query returns empty, expects parameter 1 to be mysqli_result PDO result is empty but query returns data through MySQL MySQL query returns no result SQL query returns empty result in PHP - same query returns result in PHPMyAdmin MYSQL returns empty result in PHP Query returns empty result set
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM