$con=mysqli_connect($db_host,$db_user,$db_password,$db_name);
$modified_message=rawurlencode($_POST['message']);
$subject=$_POST['subject'];
$query_savemsgids="insert into EmailCampaigns(cmpname,userid,cmpstartdatetime,subject) values('".$modified_message."',".$_SESSION['userid'].",DATE_ADD(now(),INTERVAL '07:00:10' HOUR_SECOND),'".$subject."')";
答案 0 :(得分:0)
使用 mysqli_real_escape_string 转义参数。此函数将在字符串中转义特殊字符,如单引号,双引号等。它还有助于防止SQL注入。
//example
$subject=mysqli_real_escape_string($con,$_POST['subject']);
答案 1 :(得分:0)
你应该把你的咨询改为这个。
$date = mysql_real_escape_string("DATE_ADD(now(), INTERVAL '07:00:10' HOUR_SECOND)");
$query_savemsgids="INSERT INTO EmailCampaigns(cmpname,userid,cmpstartdatetime,subject) VALUES('$modified_message', '$_SESSION[userid]', '$date' ,'$subject')";
并且不要忘记使用mysql_real_escape_string( string )来逃避所有用户的输入;
这将与你合作。