开发者

Surnames with quotes breaking SQL query, how to fix this? [duplicate]

问答 作者:
This question already has answers here: Closed 11 years ago.

Possible Duplicate:

apostrophes are breaking my mysql query in PHP

I asked a friend to test my site and his surname had a ' . O'Rourke so I got error with syntax around Rourke. Obviously caused by the apostrophe.

How do I prevent this from happening so he can register to my si开发者_开发问答te?

$name = $user_profile[name];

mysql_select_db("gamedb", $con);

$sql="INSERT IGNORE INTO Users (FID, Name, Date) VALUES ('$fid','$name',NOW())";

Does escaping solve the issue? I couldn't actually try escaping it since the name is retrieved from the usr facebook account.

Thanks

Use Prepared statements. That'll automatically handle input escaping. The current INSERT is open to a SQL injection attack. Check out mysqli_stmt::prepare()

Use mysql_real_escape_string() for the variables

$sql = "INSERT IGNORE INTO Users (
          FID, 
          Name, 
          Date
        ) VALUES (
          '" . mysql_real_escape_string($fid) . "',
          '" . mysql_real_escape_string($name) . "',
          NOW()
        )";

Escape the string with:

$name = mysql_escape_string($user_profile[name]);

This prevent sql injection

you should use mysql_real_escape_string($sql) before you insert a row

you need to use mysql_real_escape_string function in php. You can see the details here http://php.net/manual/en/function.mysql-real-escape-string.php

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9