使用php在varchar字段中插入带斜杠的查询
我在php变量中有此查询:使用php在varchar字段中插入带斜杠的查询,php,mysql,sql,string,Php,Mysql,Sql,String,我在php变量中有此查询: insert into `activadosmil` set cod='TAB08-150', stock='5', precio='111.23', categoria='Articulos destacados', subcategoria='PROMOS', descripcion='YARVIK JUNIOR 8" A9 1GB 8GB KIDO'Z ANDRO', ean='8717534019003', canon='111.23', fabricante
insert into `activadosmil` set cod='TAB08-150', stock='5', precio='111.23', categoria='Articulos destacados', subcategoria='PROMOS', descripcion='YARVIK JUNIOR 8" A9 1GB 8GB KIDO'Z ANDRO', ean='8717534019003', canon='111.23', fabricante='YARVIK'
它在Description='YARVIK JUNIOR 8“A9 1GB 8GB KIDO'Z ANDRO'
我试着用
htmlspecialchars($Description)
但是不起作用
如何将php中的“替换为mysql所需的代码?”
提前感谢使用反斜杠转义字符
insert into `activadosmil` set cod='TAB08-150', stock='5', precio='111.23', categoria='Articulos destacados', subcategoria='PROMOS', descripcion='YARVIK JUNIOR 8\" A9 1GB 8GB KIDO\'Z ANDRO', ean='8717534019003', canon='111.23', fabricante='YARVIK'
您应该使用适当的函数来转义字符串中的特殊SQL字符。这取决于您使用的驱动程序,即或 不仅需要转义。使用适当的函数Guarantees,您不会忘记某些特殊字符,还可以正确处理字符编码(前提是您已使用
mysqli::set_charset()
或mysql或PDO的相应字符编码在连接上设置了正确的字符编码)
我建议调查PHP手册页面中描述的mysqli类的prepare特性:
以及绑定参数功能:
Use您易受攻击,以及htmlspecialchars()
对于预防这些疾病的作用就像一张卫生纸泡游泳池一样有用。htmlspecialcharacters
与SQL完全无关。但这只是手动操作,解决问题的方法很差。你应该使用类似mysql\u real\u escape\u string($string)或mysqli\u real\u escape\u string的东西($string)让它自动逃离所有实例。用MySqLRealRetryEnthString函数工作。我使用的是StryRead($MexCion,\“”,“”),但是它擦除了所有内容。谢谢。而且,他应该考虑使用MySQL或PDO扩展的准备语句。
<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "my_database");
$mysqli->set_charset("utf8");
// The original string
$description = 'YARVIK JUNIOR 8" A9 1GB 8GB KIDO\'Z ANDRO';
// Escape any special characters in the correct way for this database connection
$escaped_description = $mysqli->real_escape_string($description);
$mysqli->query("INSERT INTO activadosmil (description)" .
" VALUES ('$escaped_description');");
<?php
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
/* create a prepared statement */
$stmt = mysqli_stmt_init($link);
$query='INSERT INTO activadosmil (cod, stock, precio, subcategoria, ".
"descripcion, ean, canon, fabricante) VALUES (?, ?, ?, ?, ?, ?, ?,?)';
if (mysqli_stmt_prepare($stmt, $query));{
/* bind parameters for markers */
// NB: the first parameter is a string of single char type indicators
// - One for each of the actual parameters s=string, d=double, I=integer, b=blob
// - In this case all 8 appear to be string - so 'ssssssss'
mysqli_stmt_bind_param('ssssssss', $cod, $stock, $precio, $subcategoria, $descripcion,
$ean, $canon, $fabricante);
/* execute query */
mysqli_stmt_execute($stmt);
/* close statement */
mysqli_stmt_close($stmt);
}
/* close connection */
mysqli_close($link);
?>