1

I want to run this:

UPDATE users SET about="$about" ;

but when my $about contains =, the script makes a mistake and do something like this:

$about="<img src=somevalue.jpg />";

The script adds this in the database:

<img src

and nothing more.

4

3 回答 3

2

尝试使用双单引号。

$about = '<img src=somevalue.jpg />';
$query = "UPDATE users SET about='$about'";

作为旁注,SQL Injection如果变量的值(s)来自外部,则查询很容易受到攻击。请看下面的文章,了解如何预防。通过使用PreparedStatements,您可以摆脱在值周围使用单引号。

于 2013-03-03T11:44:09.853 回答
0

This is called 'sql injection'. You have to take care of that anyway, so google it.

You have to escape all input you want to use inside statements, anything can happen otherwise. Best is not to use statements constructed by simply including variable content, but use a better engine. Take a look at PDO and the way it works. You "prepare" a statement and hand over parameters as an array. PDO takes care to cleanly escape as required. Much safer that way.

于 2013-03-03T11:44:48.427 回答
0

The issue is with putting quotes around string. I'm not very familiar with how php replaces variables in strings but you can try following for MS SQL server:

Set about ="'$about'"

于 2013-03-03T11:52:01.793 回答