mysql_query("INSERT INTO objects(objId, objectId, objectCategory, SortOrder, Name) VALUES('{$obj_id}', '{$object_id}', '{$object_category}', '{$sortorder}', 'My " . $objecta['Name'] . "')")or die(mysql_error());
This code fails when $objecta['Name']
has a single quote in it. I can't seem to be able to quote everything so that it works even if $objecta['Name']
has a single quote in it.
Two things:
1) You should escape your input. mysql_real_escape_string($objecta['Name'])
This ensures that things like the '
character are escaped, ie \\'
which allows the insert to happen.
2) mysql_*
extension is deprecated and you should really at least use mysqli_*
or pdo or another database driver. Using prepared statements in one of these other database drivers accomplishes the same as what I said above.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.