Mysql + php，带有特殊字符，例如'(Apostrophe)和" (引号) [英] Mysql + php with special characters like '(Apostrophe) and " (Quotation mark)

问题描述

一段时间以来，我一直在努力解决一个小问题.它已经存在了很多年，但这只是一个令人烦恼的问题，而不是一个严重的问题，而我只是解决了这个问题.但是现在我想找出是否有人可以帮助我.我做了一些谷歌搜索，但没有成功.

I have been struggling with a small problem for a while. It's been there for years but it's just been an irritating problem and not a serious one, and I have just worked around it. But now I want to find out if anyone can help me. I have done some google'ing but no success.

如果我从php文件中的html textarea进行表单发布，如下所示:

If I do a form post from a html textarea in a php file like this:

<form action="http://action.com" method="post">
<textarea name="text"><a href="http://google.com">google's site</a></textarea>
</form>

当然还有一个提交按钮，依此类推.

and of course there is a submit button and so on.

值是问题:<a href="http://google.com">google's site</a>文本区域的值同时具有(引号)和'(撇号).

The value is the problem: <a href="http://google.com">google's site</a> The value of the textarea have both "(Quotation mark) and '(Apostrophe).

要将其保存在mysql_database中，请执行以下操作:

To save this in a mysql_database I do this:

$result = mysql_query("INSERT INTO `table` (`row1`) VALUES ('".$_POST['text']."') ") or die(mysql_error());

现在我得到了mysql错误:

And now I get the mysql error:

您的SQL语法有错误；请查看与您的MySQL服务器版本相对应的手册，以找到在第1行的站点"附近使用的正确语法

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's site'' at line 1

推荐答案

您的sql字符串为:

INSERT INTO `table` (`row1`) VALUES ('google's site')

这不是有效的声明.正如Nanne所写，请至少使用mysql_real_escape_string对该字符串进行转义: http://php.net/manual/en/function.mysql-real-escape-string.php

Which is not a valid statement. As Nanne wrote, escape the string at least with mysql_real_escape_string : http://php.net/manual/en/function.mysql-real-escape-string.php

并阅读有关sql注入的信息 http://en.wikipedia.org/wiki/SQL_injection

And read about sql injection http://en.wikipedia.org/wiki/SQL_injection

想一想:如果有人发布了此内容:$_POST['text']，其值是:');delete from table;....

Think a bit: if someone posts this: $_POST['text'] with value: ');delete from table;....

您可以对您的数据说再见:)

Your can say good bye to your data :)

始终过滤/转义输入！

自PHP 5.5.0起，不建议使用mysql_real_escape_string和mysql扩展名.请改用mysqli扩展名和mysqli :: escape_string函数

这篇关于Mysql + php，带有特殊字符，例如'(Apostrophe)和" (引号)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！