dttvb115151 2013-08-07 16:41
浏览 146
已采纳

php-mysql数据库撇号和逗号插入

I am to insert 10 field's value in mysql from php code as it is. The problem is that whenever the user inserts apostrophe and comma(',) the query code is disturbed. some functions are there. But is it necessary to parse all field's value from these functions?? would it not be time consuming :P

here is my php code

$rs = mysql_query("
    insert into 
        _{$pid}_item 
    values (
        '$pid',
        '$item_brand',
        '$item_code',
        '$item_name',
        '$item_quantity',
        '$item_mrp',
        '$i‌tem_discount',
        '$item_vat',
        '$item_sat',
        '$item_selling_price',
        '$item_rating',
        '$item‌​_image'
    )
");

I am passing the values to these variables..

  • 写回答

5条回答 默认 最新

  • dqk42179 2013-08-07 16:46
    关注

    Try something like mysql_real_escape_string, or if using PDO, use PDO::quote.

    And please please please read up on SQL injection attacks. It is not just a matter of getting failed queries, it is a matter of having an attacker get access to your entire database, like all other user's information.

    Even better is to use prepared statements. This would look something like this:

    <?php
//Use of $pid in the table name is strange here (see comments section) and is
// dangerous unless you're generating it yourself entirely from known information
// sources. Otherwise you definitely need to sanitize it, which I don't think
// prepared statements or quoting can do.
$stmt = $dbh->prepare("
    INSERT INTO 
        :_{$pid}_item
    VALUES (
        :pid,
        :item_brand,
        :item_code,
        :item_name,
        :item_quantity,
        :item_mrp,
        :i‌tem_discount,
        :item_vat,
        :item_sat,
        :item_selling_price,
        :item_rating,
        :item‌​_image)
"); 

$stmt->bindParam(":pid", $pid);
$stmt->bindParam(":item_brand", $item_brand);
$stmt->bindParam(":item_code", $item_code);
//... etc ...
$stmt->execute();

?>
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(4条)

报告相同问题?

悬赏问题

  • ¥15 MapReduce结果输出到HBase,一直连接不上MySQL
  • ¥15 扩散模型sd.webui使用时报错“Nonetype”
  • ¥15 stm32流水灯+呼吸灯+外部中断按键
  • ¥15 将二维数组,按照假设的规定,如0/1/0 == "4",把对应列位置写成一个字符并打印输出该字符
  • ¥15 NX MCD仿真与博途通讯不了啥情况
  • ¥15 win11家庭中文版安装docker遇到Hyper-V启用失败解决办法整理
  • ¥15 gradio的web端页面格式不对的问题
  • ¥15 求大家看看Nonce如何配置
  • ¥15 Matlab怎么求解含参的二重积分?
  • ¥15 苹果手机突然连不上wifi了?