stackoom
  简体   繁体   中英

How should I format my string before inserting it into a mysql table?

 原文  2011-05-29 18:01:59       php/ mysql

Question

So I'm creating this app for storing films about details and everything was working until I changed my OS from Mac to Ubuntu.

The user posts details about the film and the PHP script inserts it into the table; so, on a very basic level:

$description = $_POST['description'];

mysql_query("insert into film (description) values ('$description')");

Edit: Sometimes it works and sometimes it doesn't - I'm assuming it has something to do with the quotes and the variable (the film description that I'm entering) I'm inserting. The description of the description column is text. It works when I enter something random with no punctuation.

Edit: Entering real data for example this description of Monsters Inc. In a city of monsters with no humans called Monstropolis centers around Monsters, Inc., the city's power company. Monsters, Inc. The lovable confidant, tough large, furry blue behemoth-like giant monster named James P. Sullivan (AKA better known as Sulley) and his Cyclops wisecracking best friend short, green monster with one large eye, Mike Wazowski discover what happens when the real world interacts with theirs in the form of a 2-year-old baby girl dubbed "Boo," who accidentally sneaks into the monster world with Sulley one night. And now it's up to Sulley and Mike to send Boo back in her door before anybody and especially two evil villains such as Sulley's main rival as a scarer chameleon-like Randall(a monster that Boo is very afraid of), who possesses the ability to change the color of his skin and Mike and Sulley's boss Mr. Waternoose the chairman and chief executive officer of Monsters, Inc

Doesn't work but I'm not sure what is 'breaking' it - ie is it the double quotes or parenthesis.

2 answers

solution1
 2  2011-05-29 18:03:33

You should take a look at mysql_real_escape_string .

Basically - you need to make sure your string does not have any characters in it that can mess up the SQL query.

solution2
 2 ACCPTED  2011-05-29 18:06:59

Are the strings within bounds? For example, if you have a varchar(25) field and your string is 124 characters, you've got a problem. Also, check the encoding of the string. Validate your input.

Next, sanitize using mysqli_real_escape_string() . All input is evil and you've opened your app up to a SQL injection attack.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question In PHP, how can I escape single quotes in my string before inserting into a MySQL table? How should i output my MySQL data into json in this kind format? How should I store these multiple values in my MySQL table? mysql query not inserting string into table? How should be my mysql table structure? Why is this inserting a string into my table? Mysql : should i put my data into 1 table or split per user? INSERTing UTF-8 string into MySQL table MYSQL should i use 2 querys or add them to my new table php with mysql, the code is not inserting into my table
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM