Mysql + php,带有特殊字符,例如'(Apostrophe)和" (引号) [英] Mysql + php with special characters like '(Apostrophe) and " (Quotation mark)
问题描述
一段时间以来,我一直在努力解决一个小问题.它已经存在了很多年,但这只是一个令人烦恼的问题,而不是一个严重的问题,而我只是解决了这个问题.但是现在我想找出是否有人可以帮助我.我做了一些谷歌搜索,但没有成功.
I have been struggling with a small problem for a while. It's been there for years but it's just been an irritating problem and not a serious one, and I have just worked around it. But now I want to find out if anyone can help me. I have done some google'ing but no success.
如果我从php文件中的html textarea进行表单发布,如下所示:
If I do a form post from a html textarea in a php file like this:
<form action="http://action.com" method="post">
<textarea name="text"><a href="http://google.com">google's site</a></textarea>
</form>
当然还有一个提交按钮,依此类推.
and of course there is a submit button and so on.
值是问题:<a href="http://google.com">google's site</a>
文本区域的值同时具有(引号)和'(撇号).
The value is the problem: <a href="http://google.com">google's site</a>
The value of the textarea have both "(Quotation mark) and '(Apostrophe).
要将其保存在mysql_database中,请执行以下操作:
To save this in a mysql_database I do this:
$result = mysql_query("INSERT INTO `table` (`row1`) VALUES ('".$_POST['text']."') ") or die(mysql_error());
现在我得到了mysql错误:
And now I get the mysql error:
您的SQL语法有错误;请查看与您的MySQL服务器版本相对应的手册,以找到在第1行的站点"附近使用的正确语法
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's site'' at line 1
推荐答案
您的sql字符串为:
INSERT INTO `table` (`row1`) VALUES ('google's site')
这不是有效的声明.正如Nanne所写,请至少使用mysql_real_escape_string对该字符串进行转义: http://php.net/manual/en/function.mysql-real-escape-string.php
Which is not a valid statement. As Nanne wrote, escape the string at least with mysql_real_escape_string : http://php.net/manual/en/function.mysql-real-escape-string.php
并阅读有关sql注入的信息 http://en.wikipedia.org/wiki/SQL_injection
And read about sql injection http://en.wikipedia.org/wiki/SQL_injection
想一想:如果有人发布了此内容:$_POST['text']
,其值是:');delete from table;....
Think a bit: if someone posts this: $_POST['text']
with value: ');delete from table;....
您可以对您的数据说再见:)
Your can say good bye to your data :)
始终过滤/转义输入!
自PHP 5.5.0起,不建议使用mysql_real_escape_string和mysql扩展名.请改用mysqli扩展名和mysqli :: escape_string函数
这篇关于Mysql + php,带有特殊字符,例如'(Apostrophe)和" (引号)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!