将$ variable或$ _POST值插入mysql表 [英] Inserting $variable or $_POST value into mysql table

问题描述

我的问题涉及为什么一段代码有效，而另两个无效，以及我如何才能获得不起作用的代码.

My question concerns why one piece of code works and two that does not, and how i can get the code that does not work to work.

有效的代码:

mysql_select_db("webuser1", $con);

mysql_query("INSERT INTO users (column 1, column2) VALUES ('value1', 'value2')");

mysql_close($con);

没有的代码no1($ var1包含'value1'等):

Code no1 that does not ($var1 contains 'value1' etc.):

mysql_select_db("webuser1", $con);

mysql_query("INSERT INTO users (column 1, column2) VALUES ($var1, $var2)");

mysql_close($con);

并且代码2不起作用($ _POST ['value1']包含'value1'等):

And code no2 that does not work ($_POST['value1'] contains 'value1' etc.):

mysql_select_db("webuser1", $con);

mysql_query("INSERT INTO users (column 1, column2) VALUES ($_POST['value1'], $_POST['value2'])");

mysql_close($con);

我不应该能够在mysql中插入$ var或$ _POST吗?我希望您不会觉得这个Q愚蠢，但是我一直在寻找解决方案，但我还不了解它们. 谢谢

Am i not supposed to be able to insert $var or $_POST in mysql? I hope you do not find this Q stupid but i have been looking around for solutions but i have not understood them. Thank you

推荐答案

在SQL中，字符串值需要用引号引起来:

In SQL, string values need to be quoted:

VALUES ('value1', 'value2')"

使用变量时:

VALUES ($var1, $var2)");

除非引用本身在值中，否则它们不会被引用.

They are not quoted … unless the quotes are in the values themselves.

因此，如果$var1 = 'value1'; $var2 = 'value2'则(在变量中插入变量之后)，您的SQL如下所示:

So if $var1 = 'value1'; $var2 = 'value2' then (after the variables are interpolated in your string) your SQL looks like this:

VALUES (value1, value2)"

您可以通过添加引号来解决当前的问题:

You could resolve your immediate problem by adding quotes:

VALUES ('$var1', '$var2')");

但这不能解决您的主要安全漏洞，并且可以让您的数据以不同的方式中断查询.

but this doesn't fix your major security vulnerability and lets your data break the query in different ways.

您应该避免通过从变量中组合字符串来创建SQL语句.这种方式导致SQL注入安全漏洞.使用支持绑定参数的界面.他们将为您处理报价和转义.

You should avoid creating SQL statements by assembling strings from variables. This way leads to SQL Injection security holes. Use an interface that supports bound arguments. They will handle quoting and escaping for you.

这篇关于将$ variable或$ _POST值插入mysql表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！