MySQL/PHP:允许特殊字符并避免 SQL 注入 [英] MySQL/PHP: Allow special characters and avoid SQL injection

问题描述

如何允许特殊字符如 " ' \/: ; 等而不使用以下代码打开 SQL 注入:

How can I allow special characters like " ' \ / : ; etc without open up for SQL injection using the code below:

$opendb = mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname);

$text = $_POST['text'];

mysql_query("UPDATE table SET text='" . $text . "' WHERE 
id='" . $_GET['id'] . "'");

mysql_close($opendb);

$text 包含来自 HTML 文本区域的句子.当我尝试在引号中输入文本时，它只是在引号之前插入文本.

$text contains a sentence from a HTML textarea. When I tries to enter text in a quote it just insert the text before the quotes.

推荐答案

好吧，也许最简单的解决方案是使用 mysql_real_escape_string() 函数，如下所示:

Well, maybe the simplest solution is to use mysql_real_escape_string() function like this:

$opendb = mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname);

$text = $_POST['text'];

mysql_query("UPDATE table SET text='" . mysql_real_escape_string($text) . "' WHERE 
id='" . $_GET['id'] . "'");

mysql_close($opendb);

使用此代码，您可以将 $text 变量中的特殊字符保存到数据库中.

using this code you could allow special characters in $text variable to be saved into the database.

你也应该转义 $_GET['id'].

You should escape $_GET['id'] also.

这篇关于MySQL/PHP:允许特殊字符并避免 SQL 注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！