逃避PHP和MySQL [英] Escaping for PHP and MySQL

问题描述

我刚刚发现我写的应用程序不允许用户输入

撇号到textarea。如果他们这样做，插入/更新失败。


我确定这个问题已经完成 - 但这是第一次

它是为我而来的。


我正在做的是这样的事情：


函数UpdateRecord（$ iID ，$ sContent）{

$ sSQL =" UPDATE MyTable SET content =''$ sContent''其中id = $ iID";

$ bSuccess = RunSQL（$ sSQL）;

返回$ bSuccess;

}


是否有简单的转义命令，或者我是否需要全部进入

为撇号和诸如此类的东西编写一些复杂的处理程序。


注意：在这个例子中，我*完全*忽略来自SQL的威胁

注射。我只是不希望撇号使更新/创建崩溃。

I just found out that an app I wrote doesn''t allow the user to input
apostrophes into the textarea. If they do, the insert/update fails.

I''m sure this issue has been done to death - but it''s the first time
it''s come up for me.

What I''m doing is something like this:

function UpdateRecord($iID, $sContent) {
$sSQL = "UPDATE MyTable SET content=''$sContent'' where id=$iID";
$bSuccess = RunSQL($sSQL);
return $bSuccess;
}

Is there a simple escape command, or am I going to have to get all into
writing some complex handler for apostrophes and whatnot.

Note: In this example, I''m *totally* ignoring the threat from SQL
injection. I just don''t want apostrophes to crash the update/create.

推荐答案

iID，

sContent）{

sContent) {

sSQL =" UPDATE MyTable SET content =''

sSQL = "UPDATE MyTable SET content=''

这篇关于逃避PHP和MySQL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！