开发者

Inserting URLs into MySQL database

I'm having troubles with an insert query with MySQL. Here's what I want to do:

in one of the fields in my table, I want to insert a bunch of URLs and their respective titles. I build up this query like so:

?content=<title of webpage>%%<url of webpage>%%<title of webpage>%%<url of webpage>%%

and so on, depending how many URLs there are.

The problem is if the URL contains something like "?var=somevalue" then my query breaks there since MySQL will 开发者_如何学运维think that I am declaring a new variable.

How can I achieve this?


I think that you should escape the sequence with a \

If you are using PHP an option is to use the following command (it has multiple forms):

  • Procedural style

    string mysqli_real_escape_string ( mysqli $link , string $escapestr )
    
  • Object oriented style

    string mysqli::escape_string ( string $escapestr )
    
    string mysqli::real_escape_string ( string $escapestr )
    


Here is how to use placeholders in PHP (which I suspect is the language you're using)

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name);
$stmt->bindParam(2, $value);

$name = 'one';
$value = 1;
$stmt->execute();

I grabbed that from php.net

Placeholders, using prepared statements serve several functions, but one of them is to separate data from code safely so that the problem you're describing goes away.

Quoting from the site mentioned above:

The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜