dream2891 2013-09-03 19:22
浏览 79
已采纳

mySQL插入语法错误与引用

I'm receive the following error below, I believe its do in part the quote that I have in the insert string 5'10 - (178cm) in which is passed by the $en['height'] variable. what's the best way to handle this error?

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '10 - (178cm)', m_btype = 'Rather Not Say' at line 12

this is the mysql insert:

m_height = '".$en['height']."',

table is set as:

varchar(30) latin1_swedish_ci
  • 写回答

1条回答 默认 最新

  • dpn68721 2013-09-03 19:28
    关注

    Your issue is that you must "escape" strings before inputting them into SQL queries. Not doing that will allow people to alter your query by inputting quotes. Example if I input the following string:

    '; select * from users; --

    Its possible to execute SQL that you did not intend. The solution is to escape:

    m_height = '".mysql_real_escape_string($en['height'])."',

    Or better yet use a more up to date method of querying mysql such as PDO or mysqli functions.

    Edit I also think you have a more general syntax error. Try this:

    m_height = "'".mysql_real_escape_string($en['height'])."'",
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?