查询无效:您的SQL语法有错误;特殊字符 [英] Invalid query: You have an error in your SQL syntax; special characters
问题描述
我正在做php和编写一些代码,以同时插入数据到不同的表。我写了一个foreach循环,我的代码的一部分如下:
while($ datarow = dbgetrow($ dataresult)) {
if($ dotcount> $ datanumrows){
showarchivestatus(。,true);
$ dotcount = 1;
}
$ sqlvalues =;
foreach($ lu_cols as $ lu_col){
if($ datarow [$ lu_col] ==){
$ sqlvalues = $ sqlvalues。
} else {
$ sqlvalues = $ sqlvalues。,\.afeafe($ datarow [$ lu_col])。
}
}
$ sqlinsert =INSERT INTO。$ lu_table。VALUES(。substr($ sqlvalues,2)。
$ archivedb = dbconnect($ a_host,$ a_dbname,$ a_port,$ a_user,$ a_password);
dbrunquery($ sqlinsert,$ archivedb);
$ dotcount ++;
}
这里是函数makesafe:
function makesafe($ text)
{
$ instring = strpos($ text,');
while($ instring> = 0)
{
if($ instring === false)
break;
if(substr($ text,$ instring-1,1)!=\\)
{
$ text = $ instring)。\\.substr($ text,$ instring,strlen($ text) - $ instring);
}
$ instring = strpos($ text,',$ instring + 1);
}
$ instring = strpos($ text,'');
while($ instring> = 0)
{
if $ instring === false)
break;
if(substr($ text,$ instring-1,1)!=\\)
{
$ text = substr($ text,0,$ instring)\\.substr($ text,$ instring,strlen($ text) - $ instring);
}
$ instring = strpos($ text,'',$ instring + 1);
}
return $ text;
}
但我遇到错误:
查询无效:您的SQL语法有错误;检查与您的MySQL服务器版本对应的手册,以获取在第1行附近使用的support.microsoft.com/default.aspx?scid=kb\)附近的正确语法
SQLStatement = INSERT INTO reference VALUES (5441461,4,support.microsoft.com/default.aspx?scid=kb\)
我知道问题是特殊字符 \ ,但我仍然要插入带有这个特殊字符的数据。如何更改它并成功插入数据?许多欣赏与任何答案。
您需要在将字符串放入数据库之前将其转义。
这是一个在MySQLi中如何做的基本示例
<?php
$ con = mysqli_connect(localhost,my_user,my_password,my_db);
//检查连接
if(mysqli_connect_errno()){
echo无法连接到MySQL:。 mysqli_connect_error();
}
//安全的转义变量
$ firstname = mysqli_real_escape_string($ con,$ _POST ['firstname']);
$ lastname = mysqli_real_escape_string($ con,$ _POST ['lastname']);
$ age = mysqli_real_escape_string($ con,$ _POST ['age']);
$ sql =INSERT INTO Persons(FirstName,LastName,Age)
VALUES('$ firstname','$ lastname','$ age');
if(!mysqli_query($ con,$ sql)){
die('Error:'。mysqli_error($ con));
}
echo1 record added;
mysqli_close($ con);
?>
以下是PDO的示例:
<?php
$ conn = new PDO('sqlite:/home/lynn/music.sql3');
/ *危险字符串* /
$ string ='Naughty \'string';
print无引号字符串:$ string\\\
;
print引号字符串:。 $ conn-> quote($ string)。 \\\
;
?>
您可能需要考虑使用预准备语句。这有几个好处,包括:
- 安全 - 有助于防止SQL注入
- 速度 -
- Security - Helps prevent SQL injection
- Speed - You only are sending the values.
http://www.w3schools.com/php/php_mysql_prepared_statements.asp
资料来源:
http://www.w3schools.com/php/func_mysqli_real_escape_string.asp
http://php.net/manual/en/mysqli.real-escape-string.php
http://php.net/manual/en/pdo.quote.php
I am doing php and writing some code to insert data into different tables at the same time. I wrote a foreach loop and one part of my code is as follows:
while ($datarow = dbgetrow($dataresult)) {
if ( $dotcount > $datanumrows) {
showarchivestatus(" .", true);
$dotcount = 1;
}
$sqlvalues = "";
foreach($lu_cols as $lu_col) {
if ($datarow[$lu_col] == "") {
$sqlvalues = $sqlvalues.", NULL ";
} else {
$sqlvalues = $sqlvalues.", \"".makesafe($datarow[$lu_col])."\"";
}
}
$sqlinsert = "INSERT INTO ".$lu_table." VALUES(".substr($sqlvalues,2).")";
$archivedb = dbconnect($a_host, $a_dbname, $a_port, $a_user, $a_password);
dbrunquery($sqlinsert, $archivedb);
$dotcount++;
}
Here is the function makesafe:
function makesafe($text)
{
$instring = strpos($text, "'");
while ( $instring >= 0 )
{
if ( $instring === false )
break;
if ( substr($text, $instring-1, 1) != "\\" )
{
$text = substr($text, 0, $instring)."\\".substr($text, $instring, strlen($text)-$instring);
}
$instring = strpos($text, "'", $instring + 1);
}
$instring = strpos($text, '"');
while ( $instring >= 0 )
{
if ( $instring === false )
break;
if ( substr($text, $instring-1, 1) != "\\" )
{
$text = substr($text, 0, $instring)."\\".substr($text, $instring, strlen($text)-$instring);
}
$instring = strpos($text, '"', $instring + 1);
}
return $text;
}
but I got the error:
Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"support.microsoft.com/default.aspx?scid=kb\")' at line 1 SQLStatement=INSERT INTO reference VALUES("5441461", "4", "support.microsoft.com/default.aspx?scid=kb\")
I know the problem is the special character \, but I still want to insert the data with this special characters. How can I change it and insert data successfully? Many appreciate with any answers. Thank you.
You need to escape your string before putting it into the database.
Here is a basic example of how to do it in MySQLi
<?php
$con=mysqli_connect("localhost","my_user","my_password","my_db");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// escape variables for security
$firstname = mysqli_real_escape_string($con, $_POST['firstname']);
$lastname = mysqli_real_escape_string($con, $_POST['lastname']);
$age = mysqli_real_escape_string($con, $_POST['age']);
$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('$firstname', '$lastname', '$age')";
if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
Here is an example of PDO:
<?php
$conn = new PDO('sqlite:/home/lynn/music.sql3');
/* Dangerous string */
$string = 'Naughty \' string';
print "Unquoted string: $string\n";
print "Quoted string:" . $conn->quote($string) . "\n";
?>
You may want to consider using a prepared statement. There are several benefits to this including:
http://www.w3schools.com/php/php_mysql_prepared_statements.asp
Sources:
http://www.w3schools.com/php/func_mysqli_real_escape_string.asp
http://php.net/manual/en/mysqli.real-escape-string.php
http://php.net/manual/en/pdo.quote.php
这篇关于查询无效:您的SQL语法有错误;特殊字符的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
