0

可能的重复:
如何防止 PHP 中的 SQL 注入?
无法使用“插入”将文本发布到 MySQL

使用 PHP 将电影标题传递到 MySQL 数据库时,出现以下错误:

You have an error in your SQL syntax; check the manual that corresponds to your 
MySQL server version for the right syntax to use near 's Dreams' )' at line 10

这是我的代码:

//Getting a list of all the users friends
$MyFriends=$facebook->api('/me/friends');

//Loop through friends array to identify each friend
$c=0;
while ($c<count($MyFriends['data']))
{
    $N=$MyFriends['data'][$c]['name'];
    $I=$MyFriends['data'][$c]['id'];
    mysql_query("INSERT INTO UserFriends
    (
        UserFBID, 
        FriendFBID,
        DisplayName
    ) VALUES
    (
        '$FBID', 
        '$I',
        '$N'
    ) ") or die(mysql_error()); 

    //Getting a list of friends each movie likes
    $friendId = "/" . $I . "/movies";
    $myFriendsMovies=$facebook->api($friendId);

    //Loop through to identify each movie
    $x=0;
    while ($x<count($myFriendsMovies['data']))
    {
        $r = $myFriendsMovies['data'][$x]['id'];
        $s = $myFriendsMovies['data'][$x]['name'];
        mysql_query("INSERT INTO LinkedMovies 
        (
            UserFBID, 
            MovieFBID,
            MovieName
        ) VALUES
        (
            '$I', 
            '$r',
            '$s'
        ) ") or die(mysql_error());         
        $x=$x+1;
    }
    $c=$c+1;
}

似乎变量 $s 已经拿起了电影“Akira Kurosawa's Dreams”并不断轰炸,出现上述错误。

4

2 回答 2

1 
$N=$MyFriends['data'][$c]['name'];

应该:

$N = mysql_real_escape_string($MyFriends['data'][$c]['name']); // sanitize the data, do this for all external data input

还:

请不要mysql_*在新代码中使用函数。它们不再被维护并被正式弃用。看到红框了吗?改为了解准备好的语句,并使用PDOMySQLi -本文将帮助您决定使用哪个。如果您选择 PDO,这里有一个很好的教程

于 2013-01-13T12:36:05.993 回答
1

在执行 sql 查询之前,您应该使用类似以下mysql_real_escape_string函数的代码进行安全 sql 查询和转义字符串

//Getting a list of all the users friends
$MyFriends=$facebook->api('/me/friends');

//Loop through friends array to identify each friend
$c=0;
while ($c<count($MyFriends['data']))
{
    $N=mysql_real_escape_string( $MyFriends['data'][$c]['name'] );
    $I=mysql_real_escape_string( $MyFriends['data'][$c]['id'] );
    mysql_query("INSERT INTO UserFriends
    (
        UserFBID, 
        FriendFBID,
        DisplayName
    ) VALUES
    (
        '$FBID', 
        '$I',
        '$N'
    ) ") or die(mysql_error()); 

    //Getting a list of friends each movie likes
    $friendId = "/" . $I . "/movies";
    $myFriendsMovies=$facebook->api($friendId);

    //Loop through to identify each movie
    $x=0;
    while ($x<count($myFriendsMovies['data']))
    {
        $r = mysql_real_escape_string( $myFriendsMovies['data'][$x]['id'] );
        $s = mysql_real_escape_string( $myFriendsMovies['data'][$x]['name']);
        mysql_query("INSERT INTO LinkedMovies 
        (
            UserFBID, 
            MovieFBID,
            MovieName
        ) VALUES
        (
            '$I', 
            '$r',
            '$s'
        ) ") or die(mysql_error());         
        $x=$x+1;
    }
    $c=$c+1;
}
于 2013-01-13T12:38:25.257 回答