PHP, receiving POST'd sql in a php script, getting some mysql errors, should I be using addslashes?
In most cases whenan sql update query is posted my php script, it works without pr开发者_JAVA百科oblem. However, in some cases I get an error from mysql. I'm using a encryption function to send data over the net, so it arrives as sent.
If I post the same query into phpmyadmin, it always works.
Do I need to add $sql = addslashes($sql); ?
I'm hesitant to use this on all queries as most of the work and I don't want to end up with slashes in my data when it may not be needed.
mysql_real_escape_string
ex:
$c = mysql_connect("localhost","a","b");
$query = 'SELECT * FROM table WHERE name="%s";'
mysql_query(sprintf($query,mysql_real_escape_string($_POST['name'],$c)));
You are not specifying what error exactly you get from mySQL. (Please always, always add the error message and example data.)
I'm going to guess though that the SQL query breaks when the user enters quotes: '
or "
This is a sign of a very dangerous vulnerability called SQL injection.
Do not use addslashes() to fix it, but the escaping method provided by your database layer - probably mysql_real_escape_string()
.
More info: Best way to defend against mysql injection and cross site scripting
精彩评论