将文本插入到 sqlite 中，其中文本带有 " [英] insert text to sqlite where text have "

问题描述

我想从 URL 中读取查询字符串并将它们保存到 sqlite 数据库中我面临这些错误消息:

I want to read query string from URL and save them into a sqlite database I face with these Error message:

PHP Warning:  SQLite3::exec(): near ",": syntax error  

但我不知道这些问题:

$Tel = $_REQUEST["from"];
$Content = $_REQUEST["text"];
echo $Tel = strip_tags($Tel);
echo $Content = strip_tags($Content);
   $sql =<<<EOF

      INSERT INTO foodordering(Fullname, Tel, RecievingTime, Content)
      VALUES ("Ehsan", $Tel, date('now'), $Content);

EOF;

   $ret = $db->exec($sql);

推荐答案

正如 @HassanAhmed，这就是没有正确处理输入时会发生的情况；您看到的问题就像有人对您使用 SQL 注入一样.快速解决方法是将字段用引号括起来:

As mentioned by @HassanAhmed, this is what happens when inputs are not properly handled; you're seeing the same issue as if someone was using SQL injection against you. The quick fix is to wrap the fields in quotation marks:

VALUES ("Ehsan", "$Tel", date('now'), "$Content");

你应该做的是绑定参数:

$sql =<<<EOF

INSERT INTO foodordering(Fullname, Tel, RecievingTime, Content)
VALUES ("Ehsan", :tel, date('now'), :content);

EOF;

$stmt = $db->prepare($sql);
$stmt->bindValue(':tel', $_REQUEST['from']);
$stmt->bindValue(':content', $_REQUEST['text']);

$ret = $stmt->execute();

这篇关于将文本插入到 sqlite 中，其中文本带有 "的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！