逃避PHP和MySQL [英] Escaping for PHP and MySQL
问题描述
我刚刚发现我写的应用程序不允许用户输入
撇号到textarea。如果他们这样做,插入/更新失败。
我确定这个问题已经完成 - 但这是第一次
它是为我而来的。
我正在做的是这样的事情:
函数UpdateRecord($ iID ,$ sContent){
$ sSQL =" UPDATE MyTable SET content =''$ sContent''其中id = $ iID";
$ bSuccess = RunSQL($ sSQL);
返回$ bSuccess;
}
是否有简单的转义命令,或者我是否需要全部进入
为撇号和诸如此类的东西编写一些复杂的处理程序。
注意:在这个例子中,我*完全*忽略来自SQL的威胁
注射。我只是不希望撇号使更新/创建崩溃。
I just found out that an app I wrote doesn''t allow the user to input
apostrophes into the textarea. If they do, the insert/update fails.
I''m sure this issue has been done to death - but it''s the first time
it''s come up for me.
What I''m doing is something like this:
function UpdateRecord($iID, $sContent) {
$sSQL = "UPDATE MyTable SET content=''$sContent'' where id=$iID";
$bSuccess = RunSQL($sSQL);
return $bSuccess;
}
Is there a simple escape command, or am I going to have to get all into
writing some complex handler for apostrophes and whatnot.
Note: In this example, I''m *totally* ignoring the threat from SQL
injection. I just don''t want apostrophes to crash the update/create.
推荐答案
iID,
sContent){
sContent) {
sSQL =" UPDATE MyTable SET content =''
sSQL = "UPDATE MyTable SET content=''
这篇关于逃避PHP和MySQL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!