dttvb115151 2013-08-07 16:41
浏览 146
已采纳

php-mysql数据库撇号和逗号插入

I am to insert 10 field's value in mysql from php code as it is. The problem is that whenever the user inserts apostrophe and comma(',) the query code is disturbed. some functions are there. But is it necessary to parse all field's value from these functions?? would it not be time consuming :P

here is my php code

$rs = mysql_query("
    insert into 
        _{$pid}_item 
    values (
        '$pid',
        '$item_brand',
        '$item_code',
        '$item_name',
        '$item_quantity',
        '$item_mrp',
        '$i‌tem_discount',
        '$item_vat',
        '$item_sat',
        '$item_selling_price',
        '$item_rating',
        '$item‌​_image'
    )
");

I am passing the values to these variables..

  • 写回答

5条回答 默认 最新

  • dqk42179 2013-08-07 16:46
    关注

    Try something like mysql_real_escape_string, or if using PDO, use PDO::quote.

    And please please please read up on SQL injection attacks. It is not just a matter of getting failed queries, it is a matter of having an attacker get access to your entire database, like all other user's information.

    Even better is to use prepared statements. This would look something like this:

    <?php
//Use of $pid in the table name is strange here (see comments section) and is
// dangerous unless you're generating it yourself entirely from known information
// sources. Otherwise you definitely need to sanitize it, which I don't think
// prepared statements or quoting can do.
$stmt = $dbh->prepare("
    INSERT INTO 
        :_{$pid}_item
    VALUES (
        :pid,
        :item_brand,
        :item_code,
        :item_name,
        :item_quantity,
        :item_mrp,
        :i‌tem_discount,
        :item_vat,
        :item_sat,
        :item_selling_price,
        :item_rating,
        :item‌​_image)
"); 

$stmt->bindParam(":pid", $pid);
$stmt->bindParam(":item_brand", $item_brand);
$stmt->bindParam(":item_code", $item_code);
//... etc ...
$stmt->execute();

?>
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(4条)

报告相同问题?

悬赏问题

  • ¥35 MIMO天线稀疏阵列排布问题
  • ¥60 用visual studio编写程序,利用间接平差求解水准网
  • ¥15 Llama如何调用shell或者Python
  • ¥20 谁能帮我挨个解读这个php语言编的代码什么意思?
  • ¥15 win10权限管理,限制普通用户使用删除功能
  • ¥15 minnio内存占用过大,内存没被回收(Windows环境)
  • ¥65 抖音咸鱼付款链接转码支付宝
  • ¥15 ubuntu22.04上安装ursim-3.15.8.106339遇到的问题
  • ¥15 blast算法(相关搜索:数据库)
  • ¥15 请问有人会紧聚焦相关的matlab知识嘛?