stackoom
  简体   繁体   中英

Problems with mysql_real_escape_string

 原文  2011-04-07 15:56:00       php/ mysql

Question

I have field called filter1 on a form, I would like to be able to save quoted text into mysql. So I would like to be able to save the value "foo bar"...instead its saving just /

Here is what I have: 

$keyword1 = mysql_real_escape_string($_POST['filter1']);

Any help is appreciated.

Here is how I construct the query 

$keyword1 = mysql_real_escape_string($_POST['filter1']);
$keyword2 = $_POST['filter2'];//."|".$_POST['filterby'];
$keyword3 = $_POST['filter3'];//."|".$_POST['filterby2'];

$urlfilter1 = $_POST['url1'];
$urlfilter2 = $_POST['url2'];//."|".$_POST['url_filter'];
$urlfilter3 = $_POST['url3'];//."|".$_POST['url_filter2'];
//echo "combo_id:".$num." <BR></br>";
//echo "status:".$status." <BR></br>";
//echo "saveQuery:".$saveQuery." <BR></br>";
//$myFilter = "save"; 
$insert_query = sprintf("UPDATE COMBINATION 
                        SET STATUS_ID=%s, QUERY=\"%s\", 
                        KEYWORD1=\"%s\", KEYWORD2=\"%s\", KEYWORD3=\"%s\", 
                        URLFILTER1=\"%s\", URLFILTER2=\"%s\", URLFILTER3=\"%s\" 
                        WHERE COMBINATION_ID=%s",$status,$saveQuery,
                        $keyword1,$keyword2,$keyword3,
                        $urlfilter1,$urlfilter2,$urlfilter3,
                        $num);
//echo "insert_query:".$insert_query." <BR></br>";
$result = mysql_query($insert_query) or die(mysql_error());
if($result)
{
    echo "Saved successfully<br>";
}

} ?>

3 answers

solution1
 10  2011-04-07 16:01:00

Unless you have a very old and restricted environment, use PDO . It will save you buckets of sweat and tears. With PDO it is very easy to escape input and avoid SQL injection attacks, which is illustrated in the answer that this link leads to .

solution2
 1  2011-04-07 15:58:25

Well first you need to connect to the database with mysql_connect() http://php.net/manual/en/function.mysql-connect.php

Then you need to call your INSERT query with mysql_query() http://php.net/manual/en/function.mysql-query.php

By the way, you are doing the right thing by escaping the string before putting it into a query, well done :)

solution3
 0  2011-04-08 05:08:21

For some reason you are escaping only one variable, while adding to the query several of them.
Why don't you escape them all?

However, your problem may be somewhere else. What is $saveQuery I am curious?

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question mysql_real_escape_string causes problems? mysql_real_escape_string(); problems mysql_real_escape_string and ’ mysql_real_escape_string and strip_slashes problems PHP Problems Combining implode() with mysql_real_escape_string() mysql_real_escape_string does not escape " MySql mysql_real_escape_string errors mysql_real_escape_string() not working in cakePHP Codeigniter Deprecated: mysql_real_escape_string(): mysql_real_escape_string for all $_POST
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM