如何在写入Mysql数据库时处理撇号

时间:2010-10-30 02:00:10

标签: php mysql mysql-error-1064

我收到此错误:

  

您的SQL语法有错误;检查与您的MySQL服务器版本相对应的手册,以便在's','portal','','offer','MSNBC','News','','sports',''附近使用正确的语法,第3行的'MSN','金钱','','游戏'

唯一的问题是插入包含撇号的数据时会出现此错误。我尝试将数据类型从VARCHAR更改为TEXT,但结果仍然相同。

我试图放addslashes()

如何解决这个问题?

编辑:

$query=" INSERT INTO alltags
 (id,tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
VALUES      
 ('',mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) "; 
mysql_query($query) or die(mysql_error());

我将其更改为mysql_real_escape_string。这种语法是否正确?我收到了错误。

4 个答案:

答案 0 :(得分:40)

对包含MySQL可能解释的字符的数据进行编码的过程称为“转义”。您必须使用mysql_real_escape_string来转义字符串,这是一个PHP函数,而不是MySQL函数,这意味着您必须在将查询传递给数据库之前在PHP中运行它。您必须转义从外部源进入程序的所有数据。任何未转义的数据都可能是SQL injection

在构建查询之前,您必须转义数据。此外,您可以使用PHP的循环结构和range

以编程方式构建查询 
// Build tag fields    
$tags = 'tag' . implode(', tag', range(1,30));

// Escape each value in the uniqkey array
$values = array_map('mysql_real_escape_string', $uniqkey);

// implode values with quotes and commas
$values = "'" . implode("', '", $values) . "'";

$query = "INSERT INTO alltags (id, $tags) VALUES ('', $values)";    

mysql_query($query) or die(mysql_error());

答案 1 :(得分:11)

使用mysql_real_escape_string是处理SQL插入/更新字符的更安全的方法:

INSERT INTO YOUR_TABLE
VALUES
  (mysql_real_escape_string($var1),
   mysql_real_escape_string($var2))

另外,我将你的列从TEXT更改为VARCHAR - 除了索引之外,搜索工作要好得多。

更新更新

由于id是auto_increment列,您可以:

  • 将其从列列表中删除,因此您不必在VALUES子句中提供值:

    INSERT INTO alltags
  (tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
VALUES      
  (mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) ";

  • 在列表中包含id,这要求您在VALUES子句中使用任一值:

    • NULL
    • DEFAULT

以下是使用NULL作为id占位符的示例:

INSERT INTO alltags
  (id,tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
 VALUES      
  (NULL,mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) ";

我想 真的 强调你不应该像那样设置你的列。

答案 2 :(得分:7)

meagar回答略有改善:

编辑: meagar更新了他的帖子,所以他的答案现在更好了。 

$query = 'INSERT INTO alltags (id, ';

// append tag1, tag2, etc.
$query .= 'tag' . implode(', tag', range(1, 30)) . ") VALUES ('', ";

// escape each value in the uniqkey array
$escaped_tags = array_map('mysql_real_escape_string', $uniqkey);

// implode values with quotes and commas, and add closing bracket
$query .= "'" . implode("', '", $escaped_tags) . "')";

// actually query
mysql_query($query) or die(mysql_error());

答案 3 :(得分:4)

请看meagars的答案。这是正确的代码。

如果你想使用误导的mysql_query()函数,那么你必须按如下方式分解SQL字符串:

mysql_query(
    "INSERT INTO whateever (col1,col2,col3,col4) VALUES ("
    . mysql_real_escape_string($col1) 
    . ","
    . mysql_real_escape_string($col2) 
    . ","       
    . mysql_real_escape_string($col3) 
    . ","
    . mysql_real_escape_string($col4) 
    . ")"
);

或者因为你有一个数组,所以使用聪明的方法调用一次性转义:

$uniqkey = array_map("mysql_real_escape_string", $uniqkey);

mysql_query("USE THE ESCAPED ARRAY THEN DIRECTLY ('$uniqkey[0]', '$uniqkey[1]', '$uniqkey[2]', '$uniqkey[3]', ...");
相关问题
最新问题