PHP - 在没有引号的情况下向MySQL输入查询

时间:2016-05-16 15:04:17

标签: php mysql

我遇到了尝试在MySQL中输入数据而没有引号的问题。

下面是它在MySQL中的显示方式的截图

DB ENTRY

下面是INSERT INTO代码,它将它放入数据库,我需要将它输入MySQL而不带引号,这证明具有挑战性...... 

    <?php include('db_connect.inc');?>

<?php
$result = $conn->prepare("INSERT INTO dog_park.reviews (review_text, username, date, rating, item) VALUES (:review, :id, :date, :rating, :keyword)");
$result->bindParam(':review', $value1);
$result->bindParam(':id', $value2);
$result->bindParam(':date', $value3);
$result->bindParam(':rating', $value4);
$result->bindParam(':keyword', $value5);


$value1 = $_POST['review'];
$value2 = $_SESSION['id'];
$value3 = $date = date("Y-m-d");
$value4 = $_POST['rating'];
$value5 = $_SESSION['KEYWORD'];
$result->execute();
echo "Review entry Successful, you will now be redirected to the home page";

header( "refresh:10; url=index.php" );
?>

也许与$ _SESSION有关?

2 个答案:

答案 0 :(得分:0)

也许在每个发布值的两边修剪掉无关的行情可以为你做这样的伎俩:

    <?php
        include('db_connect.inc');
        $result = $conn->prepare("INSERT INTO dog_park.reviews (review_text, username, date, rating, item) VALUES (:review, :id, :date, :rating, :keyword)");

        $date   = date("Y-m-d");
        $value1 = trim($_POST['review'],        "'\"");
        $value2 = trim($_SESSION['id'],         "'\"");
        $value3 = trim($date,                   "'\"");
        $value4 = trim($_POST['rating'],        "'\"");
        $value5 = trim($_SESSION['KEYWORD'],    "'\"");

        $result->bindParam(':review',   $value1);
        $result->bindParam(':id',       $value2);
        $result->bindParam(':date',     $value3);
        $result->bindParam(':rating',   $value4);
        $result->bindParam(':keyword',  $value5);

        $result->execute();
        echo "Review entry Successful, you will now be redirected to the home page";

        header( "refresh:10; url=index.php" );
    ?>

答案 1 :(得分:0)

使用stripslashes( string $str )取消引用引用的字符串。

但在您的情况下,您需要转义字符串中的特殊字符以用于SQL语句,因此您使用:mysql_real_escape_string

mysql_real_escape_string()调用MySQL的库函数mysql_real_escape_string,该函数将反斜杠添加到以下字符:\ x00,\ n,\ r,\,',“和\ x1a。

例如:

<?php
// We have not connected to MySQL

$lastname  = "O'Reilly";
$_lastname = mysql_real_escape_string($lastname);

$query = "SELECT * FROM actors WHERE last_name = '$_lastname'";

var_dump($_lastname);
var_dump($query);
?>
相关问题
最新问题