douweiduo7526 2014-02-13 13:33
浏览 74
已采纳

使用预准备语句但引号未被转义或删除

I am having an issue getting some things to insert into my database. If I put quotes single or double into my text fields it will break the query and will not escape them. I just got done reading that using prepared statements eliminates the need to call mysql_real_escape_string. Can someone tell me if I am executing my query wrong. $companyInfo is an array that contains about 8 rows to be inserted. 

function InsertCompanyInfo($companyInfo, $conn) {
    foreach($companyInfo as $key => $table) {           
        $keys = array_keys($table);
            $values = null;
            $x = 1;

            foreach($table as $row => $value) {
                $values .= "'$value'";
                if($x < count($keys)) {
                    $values .= ', ';

                }
                $x++;
            }

        $sql = $conn->prepare("INSERT INTO {$key} (`" . implode('`, `', $keys) . "`) VALUES ({$values});");
        $sql->execute();
        $CompanyID = $conn->lastInsertId('CompanyID');
    }
    return $CompanyID;
}

This is the error I get when I insert qoutes:

    Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax
 error or access violation: 1064 You have an error in your SQL syntax; check the manual that
 corresponds to your MySQL server version for the right syntax to use near '1', 
''''"'"''"';;''';';')' at line 1' in /var/www/Survey/InsertFunctions.php:20 Stack trace: #0
 /var/www/Survey/InsertFunctions.php(20): PDOStatement->execute() #1 
/var/www/Survey/testProcess.php(8): InsertCompanyInfo(Array, Object(PDO)) #2 {main} thrown 
in /var/www/Survey/InsertFunctions.php on line 20
  • 写回答

1条回答 默认 最新

  • dongtao9887 2014-02-13 14:19
    关注

    Prepared statements work by separating the query structure and the values in code like so:

    $stmt = $pdo->prepare('INSERT INTO foo (bar) VALUES (?)');

    This is the query structure, which the database is given first to understand. Then you give it the values separately:

    $stmt->execute(array('baz'));

    What you're doing instead is you call prepare on a completely formed query which includes crudely interpolated values. There's nothing prepare can do here. The entire problem of escaping values is that the database cannot figure out what a value was and what your part of the query was after the fact. If you're giving the query fully formed and incorrectly escaped to the database, it can't magically recognise what was supposed to be what. You need to add placeholders to the query and provide the corresponding values in a separate step.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 有两个非常“自以为是”烦人的问题急期待大家解决!
  • ¥30 STM32 INMP441无法读取数据
  • ¥100 求汇川机器人IRCB300控制器和示教器同版本升级固件文件升级包
  • ¥15 用visualstudio2022创建vue项目后无法启动
  • ¥15 x趋于0时tanx-sinx极限可以拆开算吗
  • ¥500 把面具戴到人脸上,请大家贡献智慧,别用大模型回答,大模型的答案没啥用
  • ¥15 任意一个散点图自己下载其js脚本文件并做成独立的案例页面,不要作在线的,要离线状态。
  • ¥15 各位 帮我看看如何写代码,打出来的图形要和如下图呈现的一样,急
  • ¥30 c#打开word开启修订并实时显示批注
  • ¥15 如何解决ldsc的这条报错/index error