关于php:如何在写入Mysql数据库时处理撇号’单引号


How to deal with Apostrophe while writing into Mysql database

本问题已经有最佳答案,请猛点这里访问。

我得到这个错误:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's','portal','','offering','MSNBC','News','','sports','','MSN','Money','','games'' at line 3

唯一的问题是,插入包含撇号的数据时会出现此错误。我尝试将数据类型从VARCHAR更改为TEXT,但结果仍然相同。

我试着把addslashes()放在

如何解决这个问题?

编辑:

1
2
3
4
5
$query=" INSERT INTO alltags
 (id,tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
VALUES      
 ('',mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29]))";
mysql_query($query) or die(mysql_error());

我把它改成了mysql_real_escape_string。这个语法正确吗?我出错了。

相关讨论

包含MySQL可能解释的字符的数据编码过程称为"转义"。必须使用mysql_real_escape_string转义字符串,它是一个php函数,而不是mysql函数,这意味着在将查询传递到数据库之前,必须在php中运行它。必须从外部源中转义进入程序的任何数据。任何未转义的数据都可能是SQL注入。

在构建查询之前,必须先转义数据。此外,您还可以使用php的循环结构和range以编程方式构建查询:

1
2
3
4
5
6
7
8
9
10
11
12
// Build tag fields    
$tags = 'tag' . implode(', tag', range(1,30));

// Escape each value in the uniqkey array
$values = array_map('mysql_real_escape_string', $uniqkey);

// implode values with quotes and commas
$values ="'" . implode("', '", $values) ."'";

$query ="INSERT INTO alltags (id, $tags) VALUES ('', $values)";    

mysql_query($query) or die(mysql_error());
相关讨论

使用mysql_real_escape_string是处理SQL插入/更新字符的一种更安全的方法:

1
2
3
4
INSERT INTO YOUR_TABLE
VALUES
  (mysql_real_escape_string($var1),
   mysql_real_escape_string($var2))

另外,我将把您的列从文本改回varchar-搜索,除了索引之外,工作得更好。

更新您的更新

由于id是一个自动递增列,您可以:

下面是一个使用空值作为ID占位符的示例:

1
2
3
4
INSERT INTO alltags
  (id,tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
 VALUES      
  (NULL,mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29]))";

我想强调的是,您不应该这样设置列。

相关讨论

美加的回答略有改进:

编辑:美加更新了他的帖子,所以他的回答现在更好了。

1
2
3
4
5
6
7
8
9
10
11
12
13
$query = 'INSERT INTO alltags (id, ';

// append tag1, tag2, etc.
$query .= 'tag' . implode(', tag', range(1, 30)) .") VALUES ('',";

// escape each value in the uniqkey array
$escaped_tags = array_map('mysql_real_escape_string', $uniqkey);

// implode values with quotes and commas, and add closing bracket
$query .="'" . implode("', '", $escaped_tags) ."')";

// actually query
mysql_query($query) or die(mysql_error());
相关讨论

请看我的回答。这是正确的代码。

如果要使用错误引导的mysql_query()函数,则必须按如下方式分解SQL字符串:

1
2
3
4
5
6
7
8
9
10
11
mysql_query(
   "INSERT INTO whateever (col1,col2,col3,col4) VALUES ("
    . mysql_real_escape_string($col1)
    .","
    . mysql_real_escape_string($col2)
    .","      
    . mysql_real_escape_string($col3)
    .","
    . mysql_real_escape_string($col4)
    .")"
);

或者,由于您有一个数组,请使用巧妙的方法调用立即全部转义:

1
2
3
$uniqkey = array_map("mysql_real_escape_string", $uniqkey);

mysql_query("USE THE ESCAPED ARRAY THEN DIRECTLY ('$uniqkey[0]', '$uniqkey[1]', '$uniqkey[2]', '$uniqkey[3]', ...");