How can I create an SQL table name with spaces and wildcard characters in a MySQL table?
I am looking for a way to store a value with spaces and wildcard characters in a MySQL table. How can this be done? I have tried using mysql_real_escape_string
but for some reason it still won't create a table with the wildcard characters. I've been doing some research and I know it's not that complicated but can't find what I'm looking for.
EXAMPLE OF INSERTION:
$sql = "CREATE TABLE " . $_COOKIE['username'] . "_" . mysql_real_escape_string($wildcard_name) . "
(
example int,
example2 varchar(999),
example3 varchar(999),
example4 varchar(999)
)";
mysql_query($sql,$con);
Trying to add slashes:
$con = mysql_connect("server","user","pass");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
$scrapbook_name = $_POST["scrapbook_name"];
$scrapbook_name = mysql_real_escape_string($scrapbook_name);
$scrapbook_name = addcslashes($scrapbook_name开发者_StackOverflow社区, '%_');
// Create table
mysql_select_db("user_scrapbooks", $con);
$sql = "CREATE TABLE " . $_COOKIE['user'] . "_" . $scrapbook_name . "
(
id int,
name varchar(999),
description varchar(999),
link varchar(999)
)";
mysql_query($sql,$con);
You can use the 'addcslashes' function to escape the wildcard characters.
$x = mysql_real_escape_string($x);
$x = addcslashes($x, '%_');
addcslashes doc
You should create table using ` quote.
@mysql_select_db('mydb') or die(DBCUSTOMERROR);
$mydata = ' * * ? % ';
$query = "INSERT INTO `mydb`.`mytable` ( `MyVarCharField`) VALUES ('". $mydata. "' );";
$sql = "CREATE TABLE " . $_COOKIE['username'] . "_"
. mysql_real_escape_string($wildcard_name) . "
It appears that you're not trying to store a value with special characters, you're actually trying to create a table identifier with special characters.
You can delimit identifiers in SQL, so you can permit special characters, spaces, international characters, SQL keyword, etc. In MySQL, the identifier delimiter is a back-tick. In ANSI SQL (or MySQL with SET SQL_MODE='ANSI'
) the identifier delimiter is a double-quote.
So you could create a table name that would normally be invalid if you delimit it any time you use it:
CREATE TABLE `SELECT - ORDER` ( ... );
INSERT INTO `SELECT - ORDER` VALUES ( ... );
SELECT ... FROM `SELECT - ORDER`;
However, mysql_real_escape_string()
is not the right function to use for preparing strings to be used safely as an identifier. That function is for string values, to make them safe within single-quoted strings. mysql_real_escape_string()
doesn't escape back-tick. So you could have a problem if your table name contains a back-tick, even if you try to escape it and delimit it:
$user_name = "foo` bar";
$sql = "CREATE TABLE `" . mysql_real_escape_string($username) ...
Results in an invalid SQL statement:
CREATE TABLE `foo` bar` ...
You should really filter the cookie contents, stripping out invalid characters. Then you have more assurance that it won't cause a problem.
$user_name = preg_replace('/`/u', '', $_COOKIE['username']);
$table_name = "{$username}_{$wildcard_name}";
$sql = "CREATE TABLE `{$table_name}` ...";
You don't need to escape single-quotes or double-quotes or LIKE-wildcards for a table name.
I may be wrong on this (please correct me if I am), but couldn't you use serialize for this?
精彩评论