2013-09-03 19:22



I'm receive the following error below, I believe its do in part the quote that I have in the insert string 5'10 - (178cm) in which is passed by the $en['height'] variable. what's the best way to handle this error?

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '10 - (178cm)', m_btype = 'Rather Not Say' at line 12

this is the mysql insert:

m_height = '".$en['height']."',

table is set as:

varchar(30) latin1_swedish_ci
  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • dpn68721 dpn68721 8年前

    Your issue is that you must "escape" strings before inputting them into SQL queries. Not doing that will allow people to alter your query by inputting quotes. Example if I input the following string:

    '; select * from users; --

    Its possible to execute SQL that you did not intend. The solution is to escape:

    m_height = '".mysql_real_escape_string($en['height'])."',

    Or better yet use a more up to date method of querying mysql such as PDO or mysqli functions.

    Edit I also think you have a more general syntax error. Try this:

    m_height = "'".mysql_real_escape_string($en['height'])."'",
    点赞 1 评论 复制链接分享