PHP变量包含单引号时未插入MySQL查询 [英] MySQL Query not inserted when PHP variable contains single quotes
问题描述
当变量$ subject用单引号引起时,不会插入此查询.有没有可能的解决方案?
This query not inserted when variable $subject has single quotes . Is there any possible solution available ?
mysql_query("INSERT INTO table (to_email_id,subject) values('$to','$subject');");
推荐答案
考虑使用 PDO 进行参数化查询>例如.
Consider using Parameterized Queries using PDO for example.
或者,将变量括在方括号{}中.
Alternately, enclose your variables in brackets { }.
我想念您的变量$subject
包含单引号.这意味着您必须逃脱它们. (有关此问题,请参见无数其他答案和mysql_real_escape_string()
.)但是正如您所看到的,变量内的单引号正是注入攻击的工作方式.转义它们有助于防止此类问题,并允许您的查询存储期望的数据.
I missed that your variable $subject
contains single quotes. This means you have to escape them. (See the myriad of other answers and mysql_real_escape_string()
about this.) But as you can see, single quotes inside the variable is exactly how injection attacks work. Escaping them helps prevent such problems as well as allow your query to store the expected data.
如果不参考 Bobby Tables ,关于注入式攻击的答案是不完整的.
No answer about injection attacks is complete without referencing Bobby Tables.
这篇关于PHP变量包含单引号时未插入MySQL查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!