Warning: file_get_contents(/data/phpspider/zhask/data//catemap/8/mysql/59.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
使用php在varchar字段中插入带斜杠的查询_Php_Mysql_Sql_String - Fatal编程技术网
Fatal编程技术网
  • php/
  • 使用php在varchar字段中插入带斜杠的查询

使用php在varchar字段中插入带斜杠的查询

php mysql sql string

使用php在varchar字段中插入带斜杠的查询,php,mysql,sql,string,Php,Mysql,Sql,String,我在php变量中有此查询: insert into `activadosmil` set cod='TAB08-150', stock='5', precio='111.23', categoria='Articulos destacados', subcategoria='PROMOS', descripcion='YARVIK JUNIOR 8" A9 1GB 8GB KIDO'Z ANDRO', ean='8717534019003', canon='111.23', fabricante

我在php变量中有此查询:

insert into `activadosmil` set cod='TAB08-150', stock='5', precio='111.23', categoria='Articulos destacados', subcategoria='PROMOS', descripcion='YARVIK JUNIOR 8" A9 1GB 8GB KIDO'Z ANDRO', ean='8717534019003', canon='111.23', fabricante='YARVIK'
它在Description='YARVIK JUNIOR 8“A9 1GB 8GB KIDO'Z ANDRO'

我试着用 htmlspecialchars($Description)

但是不起作用

如何将php中的“替换为mysql所需的代码?”

提前感谢

使用反斜杠转义字符

insert into `activadosmil` set cod='TAB08-150', stock='5', precio='111.23', categoria='Articulos destacados', subcategoria='PROMOS', descripcion='YARVIK JUNIOR 8\" A9 1GB 8GB KIDO\'Z ANDRO', ean='8717534019003', canon='111.23', fabricante='YARVIK'
您应该使用适当的函数来转义字符串中的特殊SQL字符。这取决于您使用的驱动程序,即或

不仅需要转义。使用适当的函数Guarantees,您不会忘记某些特殊字符,还可以正确处理字符编码(前提是您已使用
mysqli::set_charset()
或mysql或PDO的相应字符编码在连接上设置了正确的字符编码)

我建议调查PHP手册页面中描述的mysqli类的prepare特性:



以及绑定参数功能:




Use您易受攻击,以及
htmlspecialchars()
对于预防这些疾病的作用就像一张卫生纸泡游泳池一样有用。
htmlspecialcharacters
与SQL完全无关。但这只是手动操作,解决问题的方法很差。你应该使用类似mysql\u real\u escape\u string($string)或mysqli\u real\u escape\u string的东西($string)让它自动逃离所有实例。用MySqLRealRetryEnthString函数工作。我使用的是StryRead($MexCion,\“”,“”),但是它擦除了所有内容。谢谢。而且,他应该考虑使用MySQL或PDO扩展的准备语句。

<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "my_database");
$mysqli->set_charset("utf8");

// The original string
$description = 'YARVIK JUNIOR 8" A9 1GB 8GB KIDO\'Z ANDRO';

// Escape any special characters in the correct way for this database connection
$escaped_description = $mysqli->real_escape_string($description);

$mysqli->query("INSERT INTO activadosmil (description)" .
               " VALUES ('$escaped_description');");



<?php
$link = mysqli_connect("localhost", "my_user", "my_password", "world");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

/* create a prepared statement */
$stmt = mysqli_stmt_init($link);

$query='INSERT INTO activadosmil (cod, stock, precio, subcategoria, ".
"descripcion, ean, canon, fabricante) VALUES (?, ?, ?, ?, ?, ?, ?,?)';
if (mysqli_stmt_prepare($stmt, $query));{

    /* bind parameters for markers */
    // NB: the first parameter is a string of single char type indicators
    //      - One for each of the actual parameters s=string, d=double, I=integer, b=blob
    //      - In this case all 8 appear to be string - so 'ssssssss'
    mysqli_stmt_bind_param('ssssssss', $cod, $stock, $precio, $subcategoria, $descripcion, 
                           $ean, $canon, $fabricante);

    /* execute query */
    mysqli_stmt_execute($stmt);


    /* close statement */
    mysqli_stmt_close($stmt);
}

/* close connection */
mysqli_close($link);
?>