如何在写入Mysql数据库时处理撇号
我得到这个错误:
你的SQL语法有错误, 检查对应于您的MySQL服务器版本的手册,以便在's','portal',''offering','MSNBC','News','','sports','', 'MSN','Money','','游戏'在第3行
唯一的问题是插入包含撇号的数据时出现此错误。 我尝试将数据types从VARCHAR更改为TEXT,但结果仍然相同。
我试图把addslashes()
如何解决这个问题?
编辑:
$query=" INSERT INTO alltags (id,tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30) VALUES ('',mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) "; mysql_query($query) or die(mysql_error()); 我将其更改为mysql_real_escape_string 。 这个语法是正确的吗? 我收到错误。
编码包含字符MySQL的数据的过程可能被解释为“转义”。 您必须使用mysql_real_escape_string (这是一个PHP函数,而不是MySQL函数)来逃避您的string,这意味着在将查询传递到数据库之前,必须先用PHP运行它。 您必须从外部来源转移任何进入您的程序的数据。 任何未被转义的数据都是潜在的SQL注入 。
在构build查询之前,必须先转义数据。 另外,您可以使用PHP的循环结构和range编程式地构build您的查询:
// Build tag fields $tags = 'tag' . implode(', tag', range(1,30)); // Escape each value in the uniqkey array $values = array_map('mysql_real_escape_string', $uniqkey); // implode values with quotes and commas $values = "'" . implode("', '", $values) . "'"; $query = "INSERT INTO alltags (id, $tags) VALUES ('', $values)"; mysql_query($query) or die(mysql_error());
使用mysql_real_escape_string是一种更安全的方法来处理SQL插入/更新的字符:
INSERT INTO YOUR_TABLE VALUES (mysql_real_escape_string($var1), mysql_real_escape_string($var2))
另外,我会将您的列从TEXT更改为VARCHAR – search除了索引之外,效果更好。
更新您的更新
作为id是一个auto_increment列,你可以:
-
将其保留在列的列表之外,所以您不必在VALUES子句中提供值:
INSERT INTO alltags (tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30) VALUES (mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) "; -
在列的列表中包含
id,这要求您在VALUES子句中使用任何值:-
NULL -
DEFAULT
-
这是一个使用NULL作为id占位符的例子:
INSERT INTO alltags (id,tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30) VALUES (NULL,mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) ";
我想强调,你不应该像这样设置你的列。
对梅加尔的回答略有改善:
编辑: meagar更新了他的post,所以他的答案现在更好。
$query = 'INSERT INTO alltags (id, '; // append tag1, tag2, etc. $query .= 'tag' . implode(', tag', range(1, 30)) . ") VALUES ('', "; // escape each value in the uniqkey array $escaped_tags = array_map('mysql_real_escape_string', $uniqkey); // implode values with quotes and commas, and add closing bracket $query .= "'" . implode("', '", $escaped_tags) . "')"; // actually query mysql_query($query) or die(mysql_error());
请看看meagars答案。 这是正确的代码。
如果你想使用错误的mysql_query()函数,那么你必须按如下方式分解SQLstring:
mysql_query( "INSERT INTO whateever (col1,col2,col3,col4) VALUES (" . mysql_real_escape_string($col1) . "," . mysql_real_escape_string($col2) . "," . mysql_real_escape_string($col3) . "," . mysql_real_escape_string($col4) . ")" );
或者,因为你有一个数组,使用聪明的方法调用一次全部转义:
$uniqkey = array_map("mysql_real_escape_string", $uniqkey); mysql_query("USE THE ESCAPED ARRAY THEN DIRECTLY ('$uniqkey[0]', '$uniqkey[1]', '$uniqkey[2]', '$uniqkey[3]', ...");
