doufu6504 2016-10-27 05:50

如何在MySQL中插入特殊字符？

I have one table in which is storing data with json_encode. I have tried to mysql_escape_string as well as mysql_real_escape_string but both are not working in my case.

For example :

my password is : @:;_-#()\/+.,?!'"

update new_devices set parameter = '{"password":"@:;_-#()\/+.,?!'""}' where id = 126

With mysql_real_escape_string :

update new_devices set parameter = '{"password":"@:;_-#()\/+.,?!\\\\\\'\\\\\\\""}' where id = 126;

PHP Code :

function update_password($param_array){
     $param_array['new_pass']=mysql_escape_string($param_array['new_pass']);
     $dirparam['password'] = $param_array['new_pass'];
     $sip_query_result = $this->update_query("Device Update Query", "devices", $param_array['id'],array("dir_params" => json_encode($dirparam)));
}

function update_query($method_name,$table_name,$where,$update_array){
 if (is_array($update_array)) {
    $data_str = " set ";
    foreach ($update_array as $key => $value) {
        $data_str.=$key . " = '" . $value . "',";
    }
    $data_str = rtrim($data_str, ",");
  }else{        
    $data_str=" set ".$update_array;
  }
  $update_query=null;
  if (!empty($data_str))
  $update_query.="update " . $table . $data_str;
  $where_str=null;
  if (!empty($where)) {
      $where_str = " where id =".$where;
  }
  $update_query = $update_query . $where_str;
  mysql_query($update_query);
}

Is that possible in PHP using another solution?

I know that store json_encode data into database its not good idea but application is large and I can't do that change.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

dpruwm6206 2016-10-27 08:06

关注

Alright, as you can't simply switch the database API in a bigger project, I took a closer look at your problem. Still, you should switch to mysqli or PDO asap.

The mistake you made was to use mysql_real_escape_string() in the wrong position. You should use it directly before you send your data to the databse, so it should actually be used inside your update_query() function.

Let's check the difference between correct and incorrect usage.

How to handle the data

Defining your password.

$password = <<<'PASSWORD'
@:;_-#()\/+.,?!\'"
PASSWORD;

var_dump($password);
// string(18) "@:;_-#()\/+.,?!\'""

Next step: Encoding it to json! Instead, you escaped your string in this place.

$passwordJSON = json_encode($password);
var_dump($passwordJSON);
// string(24) ""@:;_-#()\\\/+.,?!\\'\"""

// compared to:

$passwordEscaped = mysql_real_escape_string($password);
var_dump($passwordEscaped);
// string(22) "@:;_-#()\\/+.,?!\\\'\""

Then comes the time to escape it for the database. But here you used json_encode(), too late.

$passwordJSONEscaped = mysql_real_escape_string($passwordJSON);
var_dump($passwordJSONEscaped);
//string(34) "\"@:;_-#()\\\\\\/+.,?!\\\\\'\\\"\""

// compared to

$passwordEscapedJSON = json_encode($passwordEscaped);
var_dump($passwordEscapedJSON);
// string(32) ""@:;_-#()\\\\\/+.,?!\\\\\\'\\\"""

The result

$resultCorrectWay = mysql_query("INSERT INTO passwordtest (password) VALUES ('$passwordJSONEscaped')");
var_dump($resultCorrectWay);
// bool(true)

// vs

$resultWrongWay = mysql_query("INSERT INTO passwordtest (password) VALUES ('$passwordEscapedJSON')");
var_dump($resultWrongWay);
// bool(false)

Conclusion

By using json_encode() AFTER you already escaped your string, you added new entities which would have to be escaped for your query to work.

Do it in the correct order, then the database can handle your statement.

The whole thing for trying it at home

<?php
ini_set('display_errors', 1);
error_reporting(-1);

mysql_connect('localhost', 'user', 'password');
mysql_select_db('test');

echo '<pre>';
$password = <<<'PASSWORD'
@:;_-#()\/+.,?!\'"
PASSWORD;

var_dump($password);
// string(18) "@:;_-#()\/+.,?!\'""

$passwordJSON = json_encode($password);
var_dump($passwordJSON);
// string(24) ""@:;_-#()\\\/+.,?!\\'\"""

$passwordJSONEscaped = mysql_real_escape_string($passwordJSON);
var_dump($passwordJSONEscaped);
//string(34) "\"@:;_-#()\\\\\\/+.,?!\\\\\'\\\"\""

$resultCorrectWay = mysql_query("INSERT INTO passwordtest (password) VALUES ('$passwordJSONEscaped')");
var_dump($resultCorrectWay);
// bool(true)

$passwordEscaped = mysql_real_escape_string($password);
var_dump($passwordEscaped);
// string(22) "@:;_-#()\\/+.,?!\\\'\""

$passwordEscapedJSON = json_encode($passwordEscaped);
var_dump($passwordEscapedJSON);
// string(32) ""@:;_-#()\\\\\/+.,?!\\\\\\'\\\"""

$resultWrongWay = mysql_query("INSERT INTO passwordtest (password) VALUES ('$passwordEscapedJSON')");
var_dump($resultWrongWay);
// bool(false)

edit: when not json encoding

var_dump($password);
// string(18) "@:;_-#()\/+.,?!\'""
mysql_query("INSERT INTO passwordtest (password) VALUES ('" . mysql_real_escape_string($password) . "')");

Value in the database:

@:;_-#()\/+.,?!\'"

报告相同问题？

关注问题

在mysql全文搜索中搜索特殊字符 mysql php
2017-05-07 13:00

回答 1 已采纳 By default, MySQL does not treat '@' as a valid character for a word. If you want to treat '@' it
c#插入mysql报错 ???? mysql
2017-04-25 02:55

回答 3 已采纳 ![图片说明](https://img-ask.csdn.net/upload/201704/25/1493089484_695071.png) 我编码选择的是utf-8
为什么后端的mysql语句插入不进去？请问哪里出问题了 java mysql sql
2023-03-09 09:55

回答 3 已采纳 #{count})")
mysql插入数据会失败？为什么？
2022-07-16 13:55

肥肥技术宅的博客 ASCII编码支持数字和...mysql默认的utf8字符集，其实只是utf8mb3，并不完整，当插入emoji表情等特殊字符时，会报错，导致插入、更新数据失败。改成utf8mb4就好了，它能支持更多字符。httpshttpshttpshttpshttps。...
如何在MySQL插入中限制值？ mysql php sql
2013-11-30 15:35

回答 2 已采纳 With PHP, you can validate the form with something like: $enteredAge = 17; //from the user $minA
如何在PHP / mysql中插入日期时间？ mysql php
2011-06-25 14:00

回答 3 已采纳 Sorry, my bad :/ I forgot a column before in my sql query, that's why it returned NULL... In the
在sql中多大的数据才算是大数据？ java mysql 数据库
2022-03-31 17:24

回答 5 已采纳其实没有实际的标准明确定义多少数据量算大数据，不过阿里开发手册中建议，表数据超过500万条时，建议考虑分表，以防影响查询效率，不过我们公司也有单表超过几千万条的数据，效率确实不高，所以理论上百万级别以
微信昵称带符号导致插入MySQL数据库时出错的解决方案
2021-01-21 15:03

Mysql的utf8编码最多3个字节，而Emoji表情或者某些特殊字符是4个字节。因此会导致带有表情的昵称插入数据库时出错。只要修改MySQL的编码即可，解决方案如下： 1.在mysql的安装目录下找到my.ini,作如下修改： ...
在MYSQL中插入数据之前删除多余的字符？ mysql php
2015-03-14 13:29

回答 1 已采纳 Try to use stripslashes(string) $body = stripslashes($body); Let me know if it works.
mysql中case when … then …解决插入记录吗？ mysql sql
2020-12-27 16:17

回答 3 已采纳 select * from table where 特长=‘？？？’
MySQL插入和更新查询在插入大数据时出错 mysql php
2014-06-26 10:28

回答 1 已采纳 Your content probably contains quote characters, which you need to escape. $bcontent = mysql_real
为什么不建议在 MySQL 中使用 UTF-8？
2022-05-16 08:30

浪尖聊大数据-浪尖的博客来源：https://blog.csdn.net/qq_39390545/article/details/106946166记得去年我在往MySQL存入emoji表情????????时，一直出错，无法导入。后来找到办法 -- 通过把 utf8 改成 utf8mb4 就可以了，并没有深究。一年后，...
MySQL插入数据后中文显示的是空白 mysql 有问必答
2021-07-26 17:59

回答 1 已采纳在my.ini (在MySQL的安装目录下)文件中修改如下：把utf8 改为 gbk若没有生效，重启服务试试
mysql 写入大数据类型_C#在MySQL大量数据下的高效读取、写入详解
2021-01-19 09:07

weixin_39650139的博客前言C#操作MySQL大量数据最常见的操作便是 select 读取数据，然后在C#中对数据进行处理，完毕后再插入数据库中。简而言之就 select -> process -> insert 三个步骤。对于数据量小的情况下(百万级别 or 几百...
Mysql的longblob字段插入数据问题解决
2020-12-15 08:46

在使用mysql的过程中，有个问题就是mysql的优化，mysql中longblob字段在5.5版本中默认的为1M。想改变这个问题，需要注意几点： com.mysql.jdbc.PacketTooBigException: Packet for query is too large (2054817 > ...
没有解决我的问题, 去提问

悬赏问题

¥15 mmocr的训练错误，结果全为0
¥15 python的qt5界面
¥15 无线电能传输系统MATLAB仿真问题
¥50 如何用脚本实现输入法的热键设置
¥20 我想使用一些网络协议或者部分协议也行，主要想实现类似于traceroute的一定步长内的路由拓扑功能
¥30 深度学习，前后端连接
¥15 孟德尔随机化结果不一致
¥15 apm2.8飞控罗盘bad health，加速度计校准失败
¥15 求解O-S方程的特征值问题给出边界层布拉休斯平行流的中性曲线
¥15 谁有desed数据集呀

码龄粉丝数原力等级 --

如何在MySQL中插入特殊字符？

1条回答默认最新

码龄粉丝数原力等级 --

悬赏问题

如何在MySQL中插入特殊字符？

1条回答 默认 最新

悬赏问题

1条回答默认最新