发表新帖
发表新帖

mySQL insert syntax error with quote

前端 未结
关注
1 446
情歌与酒
情歌与酒 2021-01-22 02:40

I\'m receive the following error below, I believe its do in part the quote that I have in the insert string 5\'10 - (178cm) in which is passed by the $en[\'he

1条回答
  • 傲寒
    傲寒 (楼主)
    2021-01-22 02:53

    Your issue is that you must "escape" strings before inputting them into SQL queries. Not doing that will allow people to alter your query by inputting quotes. Example if I input the following string:

    '; select * from users; --

    Its possible to execute SQL that you did not intend. The solution is to escape:

    m_height = '".mysql_real_escape_string($en['height'])."',

    Or better yet use a more up to date method of querying mysql such as PDO or mysqli functions.

    Edit I also think you have a more general syntax error. Try this:

    m_height = "'".mysql_real_escape_string($en['height'])."'",

    0 讨论(0)
 看不清?
提交回复
热议问题