dream2891 2013-09-03 19:22
浏览 79
已采纳

mySQL插入语法错误与引用

I'm receive the following error below, I believe its do in part the quote that I have in the insert string 5'10 - (178cm) in which is passed by the $en['height'] variable. what's the best way to handle this error?

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '10 - (178cm)', m_btype = 'Rather Not Say' at line 12

this is the mysql insert:

m_height = '".$en['height']."',

table is set as:

varchar(30) latin1_swedish_ci
  • 写回答

1条回答 默认 最新

  • dpn68721 2013-09-03 19:28
    关注

    Your issue is that you must "escape" strings before inputting them into SQL queries. Not doing that will allow people to alter your query by inputting quotes. Example if I input the following string:

    '; select * from users; --

    Its possible to execute SQL that you did not intend. The solution is to escape:

    m_height = '".mysql_real_escape_string($en['height'])."',

    Or better yet use a more up to date method of querying mysql such as PDO or mysqli functions.

    Edit I also think you have a more general syntax error. Try this:

    m_height = "'".mysql_real_escape_string($en['height'])."'",
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥50 寻找一位有逆向游戏盾sdk 应用程序经验的技术
  • ¥15 请问有用MZmine处理 “Waters SYNAPT G2-Si QTOF质谱仪在MSE模式下采集的非靶向数据” 的分析教程吗
  • ¥50 opencv4nodejs 如何安装
  • ¥15 adb push异常 adb: error: 1409-byte write failed: Invalid argument
  • ¥15 nginx反向代理获取ip,java获取真实ip
  • ¥15 eda:门禁系统设计
  • ¥50 如何使用js去调用vscode-js-debugger的方法去调试网页
  • ¥15 376.1电表主站通信协议下发指令全被否认问题
  • ¥15 物体双站RCS和其组成阵列后的双站RCS关系验证
  • ¥15 复杂网络,变滞后传递熵,FDA