Apostrophy和引號不會從表單添加到mysql

[英]Apostrophy and quotation marks won't add to mysql from a form


I need some help here!

我需要一些幫助!

I have a form on a site admin page, the owner fills in his projects and the get added to a mysql db, but sometimes the data contains single or double quotes so it won't add to the db.

我在站點管理頁面上有一個表單,所有者填寫他的項目並將get添加到mysql db,但有時數據包含單引號或雙引號,因此它不會添加到db。

I tried using addslashes but it still wont work.

我嘗試使用addslashes但它仍然無法正常工作。

Heres my code which Ive tried

繼承了我試過的代碼

$atitle = addslashes($_REQUEST['atitle']); 
$acontent = addslashes($_REQUEST['acontent']); 

$query = "INSERT INTO projects VALUES (NULL, '$atitle', '$acontent', '$remote_file',     '$remote_file1', '$remote_file2')";
  $result = mysql_query($query);
  if(!$result){
     $error = 'An error occured: '. mysql_error().'<br />';
     $error.= 'Query was: '.$query;
     echo $error;
     die($message);
  }

Can anyone help me with this?

誰能幫我這個?

2 个解决方案

#1


0  

mysql_query is part of an outdated php library that isn't supported anymore. The more reliable method of interacting with a database is mysqli. Using mysqli, you'll be able to use Prepared Statements. Prepared Statements are a way to validate input and to mitigate problems like this (your input having quotation ticks/marks). Take a look at this example:

mysql_query是一個不再支持的過時的php庫的一部分。更可靠的與數據庫交互的方法是mysqli。使用mysqli,您將能夠使用Prepared Statements。准備語句是一種驗證輸入和緩解此類問題的方法(您的輸入具有引號刻度/標記)。看看這個例子:

$db = new mysqli("host","user","pw","database");
$stmt = $db->prepare("INSERT INTO projects VALUES (NULL, '?', '?', '?', '?','?')");

$stmt->bind_param('s', $atitle); // s means string in the first param
$stmt->bind_param('s', $acontent); // s means string in the first param    
... // same for all other parameters in your query
$stmt->execute();

More on this: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

更多相關信息:http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

I heavily recommend using mysqli. It is current and supported. Prepared Statements are the best way to defend against SQL injections and also catching trip-ups like this. It will sanitize the input for you and account for quotation symbols.

我強烈推薦使用mysqli。它是最新的和支持的。准備好的語句是防范SQL注入的最佳方法,也可以捕獲這樣的絆倒。它將為您清理輸入並考慮引號。

#2


0  

you can try stripslashes() to un-quotes a quoted string. More details are available on the PHP documentation website here.

你可以嘗試使用stripslashes()取消引用帶引號的字符串。有關詳細信息,請訪問PHP文檔網站。


注意!

本站翻译的文章,版权归属于本站,未经许可禁止转摘,转摘请注明本文地址:https://www.itdaan.com/blog/2013/06/14/729c65fc6f0f2285bda56187fd25845d.html



 
粤ICP备14056181号  © 2014-2020 ITdaan.com