You're not escaping your inputs. mysqli_real_escape_string()is your friend.

你没有逃避你的输入。mysqli_real_escape_string()是你的朋友。

Remember all input is evil. Validate and sanitize, otherwise you're going to be subject to a whole host of nastiness, from data that's out of bounds (124 char long strings when the field is varchar(10), for example) to opening your code up to SQL injection exploits.

记住所有输入都是邪恶的。验证和清理，否则你将受到一大堆肮脏的影响，从越界的数据（例如，字段为 varchar(10) 时的 124 个字符长字符串）到打开代码以进行 SQL 注入漏洞利用。

Example:

例子：

$safe_url = mysqli_real_escape_string($database_connection_object, $url);

Also, you might want to save yourself some keystrokes, change that string to a double quoted one and interpolate the variables - i.e. "blah blah $some_var foo foo"is the same as 'blah blah ' . $some_var . ' foo foo'

此外，您可能希望为自己节省一些按键，将该字符串更改为双引号字符串并插入变量 - 即"blah blah $some_var foo foo"与'blah blah ' . $some_var . ' foo foo'

While I completelyagree with the mysql_real_escape_string()comments, it looks like you forgot to wrap the URL in quotes just like any other string should be.

虽然我完全同意这些mysql_real_escape_string()评论，但您似乎忘记像任何其他字符串一样将 URL 用引号括起来。

$sql = 'INSERT INTO table VALUES( '.$active.' , '.$id.' , '.$time.' , "'.$url.'" ,"some string" )';

You can tell by looking at the MySQL error:

您可以通过查看 MySQL 错误来判断：

://www.youtube.com/watch?v=sAYc3gGjYW8 ,"some string" )

There is no quote at the end of the URL :)

URL 末尾没有引号 :)

You need to escape your input. Have a look at mysql_real_escape_stringor mysqli_real_escape_string. You might also want to look at a database abstraction layer like PDO.

您需要转义您的输入。看看mysql_real_escape_string或mysqli_real_escape_string。您可能还想查看像PDO这样的数据库抽象层。

Assuming you're using the mysql_*procedural functions, and after you've connected to the database, your script should look like this:

假设您正在使用mysql_*过程函数，并且在连接到数据库之后，您的脚本应如下所示：

$sql = 'INSERT INTO table VALUES( '.$active.' , '.$id.' , '.$time.' , "'.mysql_real_escape_string($url).'" ,"some string" )';

I would also stronglyrecommend escaping the other values as well:

我也强烈建议转义其他值：

$sql = 'INSERT INTO table VALUES( "'.mysql_real_escape_string($active).'" , "'.mysql_real_escape_string($id).'" , "'.mysql_real_escape_string($time).'" , "'.mysql_real_escape_string($url).'" ,"some string" )';

unless they are SQL expressions or you have previously escaped them.

除非它们是 SQL 表达式或者您之前已将它们转义。

Make sure you've escaped all of the inputs into the DB using something like mysql_real_escape_string($string). It'll stop you being open to SQL injection attacks and make sure strings are being read correctly.

确保您已使用类似mysql_real_escape_string($string). 它会阻止您接受 SQL 注入攻击，并确保正确读取字符串。

$id = $_GET['id'];$name = $_GET['name'];$lat = $_GET['lat'];$long = $_GET['long']; $query = mysql_query("INSERT INTO dbname.tablename (id,name,lat,long) VALUES ('".$id."','".$name."','".$lat."','".$long."')");

$id = $_GET['id'];$name = $_GET['name'];$lat = $_GET['lat'];$long = $_GET['long']; $query = mysql_query("INSERT INTO dbname.tablename (ID,名称,LAT,长) VALUES ('".$id."','".$name."','".$lat."','".$long."')");