当 PHP 变量包含单引号时未插入 MySQL 查询 [英] MySQL Query not inserted when PHP variable contains single quotes

问题描述

当变量 $subject 有单引号时，不会插入此查询.有没有可能的解决方案?

This query not inserted when variable $subject has single quotes . Is there any possible solution available ?

mysql_query("INSERT INTO  table  (to_email_id,subject) values('$to','$subject');");

推荐答案

考虑使用参数化查询使用 PDO 例如.

Consider using Parameterized Queries using PDO for example.

或者，将变量括在括号 { } 中.

Alternately, enclose your variables in brackets { }.

我错过了您的变量 $subject 包含 单引号.这意味着你必须逃避它们.(请参阅无数其他答案和 mysql_real_escape_string() 关于此.)但是正如您所看到的，变量中的单引号正是注入攻击的工作方式.转义它们有助于防止此类问题，并允许您的查询存储预期的数据.

I missed that your variable $subject contains single quotes. This means you have to escape them. (See the myriad of other answers and mysql_real_escape_string() about this.) But as you can see, single quotes inside the variable is exactly how injection attacks work. Escaping them helps prevent such problems as well as allow your query to store the expected data.

如果不参考 Bobby Tables，关于注入攻击的答案是不完整的.

No answer about injection attacks is complete without referencing Bobby Tables.

这篇关于当 PHP 变量包含单引号时未插入 MySQL 查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！