在进入数据库时​​反斜杠撇号

时间:2012-12-08 01:58:55

标签: php mysql

解决了问题的前一部分,仍然需要理解为什么这不起作用:))

回到单独转义字符串,我有这个。

    mysql_query("INSERT INTO users (firstname,surname,email,password,birthday,birthmonth,birthyear,houseno,streetname,town,country,postcode,phonenumber,singer,songwriter,producer,composer,band,instrument,instrument2,extra,confirmcode) VALUES ('".$firstname."','".$surname."','".$email."','".$password."',".$birthday.",".$birthmonth.",".$birthyear.",'".$houseno."','".$streetname."','".$town."','".$country."','".$postcode."',".$phonenumber.",".$singer.",".$songwriter.",".$producer.",".$composer.", ".$band.",'".$instrument."','".$instrument2."','".$extra."','".$rand."')",
    mysql_real_escape_string($surname),
    mysql_real_escape_string($firstname),
    mysql_real_escape_string($stown),
    mysql_real_escape_string($houseno),
    mysql_real_escape_string($streetname),
    mysql_real_escape_string($extra),
    mysql_real_escape_string($email)) or die ('pood'); 
    echo $streetname;

我得到了骰子错误 - 因此它不会回显$ streetname; (这应该是'Clark \'s Way'),并且似乎没有反斜杠撇号,因为它没有被输入数据库。

如果我没有按照您的标准进行研究,请道歉,但我一直在努力理解为什么这种情况不会持续数小时。

谢谢:)

2 个答案:

答案 0 :(得分:0)

错误是由反斜杠引号引起的。删除反斜杠,它看起来应该可以工作。

之前:VALUES (\'Joshua\',\'Oakley\',
之后:VALUES ('Joshua','Oakley',

答案 1 :(得分:0)

mysql_query()不会像这样多个参数。您需要在查询字符串中转义中的每个变量。像这样:

... VALUES ('".mysql_real_escape_string($firstname)."','".mysql_r...

所以,你最终会得到这样的东西:

$query = "INSERT INTO users (firstname,surname,email,password,birthday,
birthmonth,birthyear,houseno,streetname,town,country,postcode,
phonenumber,singer,songwriter,producer,composer,band,instrument,
instrument2,extra,confirmcode) VALUES (
'". mysql_real_escape_string($firstname) ."',
'". mysql_real_escape_string($surname) ."',
'". mysql_real_escape_string($email) ."',
'". mysql_real_escape_string($password) ."',
'". mysql_real_escape_string($birthday) ."',
'". mysql_real_escape_string($birthmonth) ."',
'". mysql_real_escape_string($birthyear) ."',
'". mysql_real_escape_string($houseno) ."',
'". mysql_real_escape_string($streetname) ."',
'". mysql_real_escape_string($town) ."',
'". mysql_real_escape_string($country) ."',
'". mysql_real_escape_string($postcode) ."',
'". mysql_real_escape_string($phonenumber) ."',
'". mysql_real_escape_string($singer) ."',
'". mysql_real_escape_string($songwriter) ."',
'". mysql_real_escape_string($producer) ."',
'". mysql_real_escape_string($composer) ."',
'". mysql_real_escape_string($band) ."',
'". mysql_real_escape_string($instrument) ."',
'". mysql_real_escape_string($instrument2) ."',
'". mysql_real_escape_string($extra) ."',
'". mysql_real_escape_string($rand) ."')";

mysql_query($query) or die (mysql_error()); 

对不起,如果那里有拼写错误。但我认为你明白了。


这是一个(未经测试的)示例,说明参数化查询如何工作,并根据示例in the manual进行了改编:

$query = "INSERT INTO users (firstname,surname,email,password,birthday,
birthmonth,birthyear,houseno,streetname,town,country,postcode,
phonenumber,singer,songwriter,producer,composer,band,instrument,
instrument2,extra,confirmcode) VALUES (
:firstname, :surname, :email, :password, :birthday, :birthmonth,
:birthyear, :houseno, :streetname, :town, :country, :postcode, :phonenumber,
:singer, :songwriter, :producer, :composer, :band, :instrument, :instrument2,
:extra, :rand)";

// assume $dbh is your PDO database connection
$sth = $dbh->prepare($query);
$sth->bindParam(':firstname', $firstname);
$sth->bindParam(':surname', $surname);
$sth->bindParam(':email', $email);
$sth->bindParam(':password', $password);
$sth->bindParam(':birthday', $birthday);
// and so on...

$sth->execute();