我正在尝试向mysql(通过php)列插入一个url但无法执行此操作。 我收到以下错误
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%2F%2Flocalhost%2Fclient%2Fsave_file.php%3Ffilename%3D9 WHERE queryid='29'' at line 1
代码段:
$_POST['url1']="//localhost/client/save_file.php?filename=9";
$_POST['query_id']=29;
$var=$_POST['url1'];
$query_id=$_POST['query_id'];
// echo "$var";
$var=rawurlencode($var);
//echo "$var";
$sql1 = "UPDATE query_audio SET query_content=$var WHERE queryid='".$query_id."' ";
if (!mysql_query($sql1)) {
die('Error: ' . mysql_error($connection));
}
答案 0 :(得分:1)
你对如何防御SQL injection attacks有一个根本的误解你需要使用mysql_real_escape_string(),而不是urlencode()。
另外,您忘记引用$var变量,因此您的查询是偶然的:
... SET query_content=http:%2F%2Fetc...
在没有引号的情况下,mysql可以自由地将http:部分解释为(无效的)字段名称。
尝试
$var = mysql_real_escape_string($_POST['url1']);
$query_id = mysql_real_escape_string($_POSt['query_id']);
$sql = "UDPATE ... SET query_content='$var' WHERE queryid='$query_id';";
^----^-- note these quotes.