插入'进入mysql表 [英] Inserting ' into mysql table
问题描述
我想在mysql中将student'coe插入到table的collegename字段中,但由于
(')它给出了错误以避免它我发现应该使用mysql_real_escape_string但是没有得到正确的它的语法请帮助正确的mysql查询语法,以便插入
I want to insert student'coe into collegename field of table in mysql but because of
(')it is giving error to avoid it i found that mysql_real_escape_string should be used for but not getting proper syntax of it please help for proper mysql query syntax for it to inserting
student'coe
vaule进入表格
collegename ='mysql_real_escape_string(student'sCOE)'
我尝试了什么:
我想将student'coe插入mysql中的表的collegename字段,但是由于
(')它给出了错误以避免它我发现mysql_real_escape_string应该用于但没有得到正确的语法,请帮助正确的mysql查询语法它插入
vaule into the table
collegename='mysql_real_escape_string(student'sCOE)'
What I have tried:
I want to insert student'coe into collegename field of table in mysql but because of
(')it is giving error to avoid it i found that mysql_real_escape_string should be used for but not getting proper syntax of it please help for proper mysql query syntax for it to inserting
student'coe
v aule进入表格
collegename ='mysql_real_escape_string(student'sCOE)'
vaule into the table
collegename='mysql_real_escape_string(student'sCOE)'
推荐答案
问题是您正在使用字符串连接来构建您的查询。这使您的代码容易受到 SQL Injection [< a href =http://www.troyhunt.com/2013/07/everything-you-wanted-to-know-about-sql.html\"target =_ blank> ^ ]。
您需要更改代码以使用参数化查询。这意味着从mysql _方法切换到 MySQLi [ ^ ]或 PDO [ ^ ]。
这个SO答案 [ ^ ]有一个很好的解释。
编辑:原来你正在使用C# ,即使你的问题涉及PHP函数。 .NET中的参数化查询很简单:
The problem is that you are using string concatenation to build your queries. That leaves your code vulnerable to SQL Injection[^].
You need to change your code to use parameterized queries instead.That means switching from themysql_methods to either MySQLi[^] or PDO[^].
This SO answer[^] has a pretty good explanation.
Turns out you're using C#, even though your question refers to a PHP function. Parameterized queries in .NET are simple:
using (var connection = new MySqlConnection("..."))
using (var command = new MySqlCommand("INSERT INTO YourTable (Column) VALUES (@Column)"))
{
command.Parameters.AddWithValue("@Column", "student'coe");
connection.Open();
command.ExecuteNonQuery();
}Everything你想知道SQL注入(但不敢问)|特洛伊亨特 [ ^ ]
如何在没有技术术语的情况下解释SQL注入? |信息安全堆栈交换 [ ^ ]
查询参数化备忘单| OWASP [ ^ ]
Alternatively, use Dapper[^].
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
这篇关于插入'进入mysql表的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
