dongxie8856 2014-10-21 10:15
浏览 138
已采纳

PHP:在mySQL中插入引号时出错

I insert a text variable in a mySQL table. Everything works fine except in the text is a quotation mark. I thought that I can prevent an error by using "mysql_real_escape_string". But there is an error anyway.

My insert statement:

 $insertimage= "INSERT INTO image(filename,text,timestamp,countdown) VALUES ('$filename','$text','$timestamp','$countdown')";
 mysql_real_escape_string($insertimage);

The error message: MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1413885955514','10')' at line 1

  • 写回答

7条回答 默认 最新

  • doulong1987 2014-10-21 10:21
    关注

    The problem with your current code is that you have not correctly escaped the values you're trying to enter into the table.

    Better still is to avoid the mysql_* function family entirely. Those functions are now deprecated and bring security risks to the table (along with other concerns).

    You'd be better to use PDO and Prepared Statements, for example:

    $db = new PDO('param1', 'param2', 'param3');
$sql = $db->prepare( 'INSERT INTO `image` (`filename`, `text`, `timestamp`, `countdown`) 
                                   VALUES (:filename, :text, :timestamp, :countdown)' );

$sql->execute( array(':filename' => $filename, 
                     ':text' => $text, 
                     ':timestamp' => $timestamp, 
                     ':countdown' => $countdown )
);
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(6条)

报告相同问题?

悬赏问题

  • ¥15 adb push异常 adb: error: 1409-byte write failed: Invalid argument
  • ¥15 android报错 brut.common.BrutException: could not exec (exit code = 1)
  • ¥15 nginx反向代理获取ip,java获取真实ip
  • ¥15 eda:门禁系统设计
  • ¥50 如何使用js去调用vscode-js-debugger的方法去调试网页
  • ¥15 376.1电表主站通信协议下发指令全被否认问题
  • ¥15 物体双站RCS和其组成阵列后的双站RCS关系验证
  • ¥15 复杂网络,变滞后传递熵,FDA
  • ¥20 csv格式数据集预处理及模型选择
  • ¥15 部分网页页面无法显示!