Fatal编程技术网
  • php/
  • Php 在MySQL查询中插入“&”或“%”等字符

Php 在MySQL查询中插入“&”或“%”等字符

php mysql database

Php 在MySQL查询中插入“&”或“%”等字符,php,mysql,database,character,Php,Mysql,Database,Character,我想在查询中插入特殊字符&例如%或%,但每次我尝试时,插入的字符串都会被剪切 $data1=mysql_real_escape_string("Bolliger&Mabillard is a rollercoaster manufacturer"); 例如,如果我输入Bolliger&Mabilard是过山车制造商,我就得到Bolliger $data1=mysql_real_escape_string("Bolliger&Mabillard is a rollercoas

我想在查询中插入特殊字符&例如%或%,但每次我尝试时,插入的字符串都会被剪切

$data1=mysql_real_escape_string("Bolliger&Mabillard is a rollercoaster manufacturer");
例如,如果我输入Bolliger&Mabilard是过山车制造商,我就得到Bolliger

$data1=mysql_real_escape_string("Bolliger&Mabillard is a rollercoaster manufacturer");
我用于将字符串插入数据库的代码是:

include("connect.php");

$query="insert into news (title, body) values('About', 'Bolliger&Mabillard is a rollercoaster manufacturer');";
$run = mysql_query($query) or die ($query);
mysql_close();

$data1=mysql_real_escape_string("Bolliger&Mabillard is a rollercoaster manufacturer");
我能做什么

$data1=mysql_real_escape_string("Bolliger&Mabillard is a rollercoaster manufacturer");
谢谢

试试看:

$data1=mysql_real_escape_string("Bolliger&Mabillard is a rollercoaster manufacturer");
希望这能帮助你

$data1=mysql_real_escape_string("Bolliger&Mabillard is a rollercoaster manufacturer");
最短的路在这里。。。使用mysql预定义函数

$data1=mysql_real_escape_string("Bolliger&Mabillard is a rollercoaster manufacturer");  

<?php
    include("connect.php");
    $bodyData = "Bolliger&Mabillard%is a rollercoaster manufacturer";
    $bodyData = mysql_real_escape_string($bodyData);
    $query="insert into news (title, body) values('About', '".$bodyData."')";
    $run = mysql_query($query) or die ($query);
    mysql_close();
 ?>
或者你可以像下面这样走更长的路。。。使用自己的功能

$data1=mysql_real_escape_string("Bolliger&Mabillard is a rollercoaster manufacturer");  

<?php
    include("connect.php");

    function xss($string)
        {
            return str_replace(
                            array('!','"','#','$','%','&',"'",'(',')','*','+',',','-','.','/',':',';','<','=','>','?','@','[','\\',']','^','_','{','|','}','~'),
                            array('\!','\"','\#','\$','\%','\&',"\'",'\(','\)','\*','\+','\,','\-','\.','\/','\:','\;','\<','\=','\>','\?','\@','\[','\\','\]','\^','\_','\{','\|','\}','\~'),
                            $string);
        }


    $bodyData = "Bolliger&Mabillard%is a rollercoaster manufacturer";
    $bodyData = xss($bodyData);
    $query="insert into news (title, body) values('About', '".$bodyData."')";
    $run = mysql_query($query) or die ($query);
    mysql_close();
    ?>
您将使用此代码获得结果

$data1=mysql_real_escape_string("Bolliger&Mabillard is a rollercoaster manufacturer");  

 <?php
    include("connect.php");


    function xss_r($string)
        {
            return str_replace(
                            array('\!','\"','\#','\$','\%','\&',"\'",'\(','\)','\*','\+','\,','\-','\.','\/','\:','\;','\<','\=','\>','\?','\@','\[','\\','\]','\^','\_','\{','\|','\}','\~'),
                            array('!','"','#','$','%','&',"'",'(',')','*','+',',','-','.','/',':',';','<','=','>','?','@','[','\\',']','^','_','{','|','}','~'),
                            $string);
        }
    $last = 1; // here your id which is compare with id in database...
    $rs = mysql_query("select body from members where id = ".$last);
    $row = mysql_fetch_array($rs);
    echo xss_r($row['body']);
    mysql_close();
    ?>
body的长度是多少?例如varcharxx?它的varchar999,而编码它的拉丁字母1_-swedish_-ci的字符显示您的代码。实际上,我通过javascript脚本插入字符串:function save{var title=About;var body=Bolliger&mabilard是过山车制造商;window.open+title+&body=+body;}然后删除这个问题,问真正的问题。非常感谢你!无论如何,我在发布问题时犯了一个错误,我要删除这个!不要使用自己的功能!就像在本例中一样,它仍然容易受到SQL注入的攻击。使用准备好的语句提供的参数化语句。