在写入Mysql数据库时如何处理撇号

 

这个问题在这里已经有了答案:

  • 我如何防止PHP中的SQL注入? 28个答案

    • 编码包含字符MySQL的数据的过程可能被解释为“转义”。 您必须使用mysql_real_escape_string (它是一个PHP函数,而不是MySQL函数)来逃避您的字符串,这意味着在将查询传递给数据库之前,必须先用PHP运行它。 您必须转义来自外部来源的任何数据。 任何未被转义的数据都是潜在的SQL注入。

    在构建查询之前,必须先转义数据。 此外,您可以使用PHP的循环构造和range编程式地构建查询: 

    // Build tag fields    
$tags = 'tag' . implode(', tag', range(1,30));

// Escape each value in the uniqkey array
$values = array_map('mysql_real_escape_string', $uniqkey);

// implode values with quotes and commas
$values = "'" . implode("', '", $values) . "'";

$query = "INSERT INTO alltags (id, $tags) VALUES ('', $values)";    

mysql_query($query) or die(mysql_error());

    使用mysql_real_escape_string是一种更安全的方法来处理SQL插入/更新的字符: 

    INSERT INTO YOUR_TABLE
VALUES
  (mysql_real_escape_string($var1),
   mysql_real_escape_string($var2))

    另外,我会将您的列从TEXT更改为VARCHAR - 除索引之外,搜索的效果会更好。

    更新您的更新

    作为该id是一个auto_increment列,您可以:

  • 将它从列的列表中删除,所以您不必在VALUES子句中提供值: 

    INSERT INTO alltags
  (tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
VALUES      
  (mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) ";

  • 在列列表中包含id ,这要求您在VALUES子句中使用任何值:

  • NULL
  • DEFAULT

    • 以下是使用NULL作为id占位符的示例: 

    INSERT INTO alltags
  (id,tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
 VALUES      
  (NULL,mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) ";

    我想真正强调的是,你不应该设置你的专栏这样。

    梅加尔的回答略有改善:

    编辑: meagar更新了他的帖子,所以他的答案现在更好。 

    $query = 'INSERT INTO alltags (id, ';

// append tag1, tag2, etc.
$query .= 'tag' . implode(', tag', range(1, 30)) . ") VALUES ('', ";

// escape each value in the uniqkey array
$escaped_tags = array_map('mysql_real_escape_string', $uniqkey);

// implode values with quotes and commas, and add closing bracket
$query .= "'" . implode("', '", $escaped_tags) . "')";

// actually query
mysql_query($query) or die(mysql_error());
    链接地址: http://www.djcxy.com/p/16721.html

    上一篇: How to deal with Apostrophe while writing into Mysql database

    下一篇: Escaping single quote in PHP when inserting into MySQL