php 将 $variable 或 $_POST 值插入到 mysql 表中
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9617982/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Inserting $variable or $_POST value into mysql table
提问by Sergei
My question concerns why one piece of code works and two that does not, and how i can get the code that does not work to work.
我的问题涉及为什么一段代码有效而两段代码无效,以及如何让无效的代码起作用。
The code that works:
有效的代码:
mysql_select_db("webuser1", $con);
mysql_query("INSERT INTO users (column 1, column2) VALUES ('value1', 'value2')");
mysql_close($con);
Code no1 that does not ($var1 contains 'value1' etc.):
没有的代码 no1($var1 包含 'value1' 等):
mysql_select_db("webuser1", $con);
mysql_query("INSERT INTO users (column 1, column2) VALUES ($var1, $var2)");
mysql_close($con);
And code no2 that does not work ($_POST['value1'] contains 'value1' etc.):
并且代码 no2 不起作用($_POST['value1'] 包含 'value1' 等):
mysql_select_db("webuser1", $con);
mysql_query("INSERT INTO users (column 1, column2) VALUES ($_POST['value1'], $_POST['value2'])");
mysql_close($con);
Am i not supposed to be able to insert $var or $_POST in mysql? I hope you do not find this Q stupid but i have been looking around for solutions but i have not understood them. Thank you
我不应该能够在 mysql 中插入 $var 或 $_POST 吗?我希望你不会觉得这个 Q 很愚蠢,但我一直在寻找解决方案,但我还没有理解它们。谢谢
回答by Quentin
In SQL, string values need to be quoted:
在 SQL 中,字符串值需要被引用:
VALUES ('value1', 'value2')"
When you use variables:
使用变量时:
VALUES ($var1, $var2)");
They are not quoted … unless the quotes are in the values themselves.
它们没有被引用……除非引号在值本身中。
So if $var1 = 'value1'; $var2 = 'value2'then (after the variables are interpolated in your string) your SQL looks like this:
所以如果$var1 = 'value1'; $var2 = 'value2'那么(在你的字符串中插入变量之后)你的 SQL 看起来像这样:
VALUES (value1, value2)"
You could resolve your immediate problem by adding quotes:
您可以通过添加引号来解决当前的问题:
VALUES ('$var1', '$var2')");
but this doesn't fix your major security vulnerabilityand lets your data break the query in different ways.
但这并不能解决您的主要安全漏洞,而是让您的数据以不同的方式破坏查询。
You should avoid creating SQL statements by assembling strings from variables. This way leads to SQL Injection security holes. Use an interface that supports bound arguments. They will handle quoting and escaping for you.
您应该避免通过从变量组装字符串来创建 SQL 语句。这种方式会导致 SQL 注入安全漏洞。使用支持绑定参数的接口。他们将为您处理报价和转义。
回答by chilly
mysql needs single quotes to enclose a string... so you would need something like this:
mysql 需要单引号将字符串括起来......所以你需要这样的东西:
mysql_query("INSERT INTO users (column 1, column2) VALUES ('".$_POST['value1']."', '".$_POST['value2']."')");
for everything that is not a string you won't need the single quotes (')
对于不是字符串的所有内容,您将不需要单引号 (')
as mentioned before you should not forget to escape strings that you want to put into the database. for example use prepared statements. by binding the parameters it is ensured that your passed value is of the type you specified within the prepared statement.
如前所述,您不应忘记转义要放入数据库的字符串。例如使用准备好的语句。通过绑定参数,可以确保您传递的值是您在准备好的语句中指定的类型。
回答by Your Common Sense
One thing you have to understand:
You can'tinsert $variable or $_POST value into mysql table.
您必须了解的一件事:
您不能将 $variable 或 $_POST 值插入到 mysql 表中。
You can insert them in another PHP variable only.
您只能将它们插入到另一个 PHP 变量中。
Which variable, if happens to be a valid SQL query, can be sent to mysql, which will add corresponding values in table.
哪个变量,如果恰好是一个有效的SQL查询,可以发送到mysql,它会在表中添加相应的值。
So, you have to learn proper PHP strings syntax first.
因此,您必须首先学习正确的 PHP 字符串语法。
So, PHP lets you 3 different ways of adding an associative array member into string:
因此,PHP 允许您通过 3 种不同的方式将关联数组成员添加到字符串中:
$array['key'] = 'world';
$str = "Hello ".$array['key'];
$str = "Hello {$array['key']}";
$str = "Hello $array[key]";
You also have issues with SQL syntax.
Strings in the SQL query have to be escaped and quoted. Your code lacks both.
您也有 SQL 语法问题。
SQL 查询中的字符串必须被转义和引用。你的代码两者都没有。
回答by Андрей Павлов
Use this solution, its 100% works
使用此解决方案,其 100% 有效
mysql_query("INSERT INTO users (column 1, column2) VALUES ('{$_POST[value1]}', '{$_POST[value2]}')");
when you use {}, you dont need write value in ' '
当您使用 {} 时,您不需要在 ' ' 中写入值
回答by Ami Padsala
$var1=$_POST['variable_name1'];
$var2=$_POST['variable_name2'];
$q="INSERT INTO `users` (`column 1`, `column2`) VALUES ($var1, $var2)";
$result=mysql_query($q);
回答by Marius Grigaitis
Seems like you're not escaping and quoting your arguments to mysql properly.
似乎您没有正确地转义并引用您的参数给 mysql。
To insert variables in MySQL you need to escape them at least: $var = mysql_real_escape_string($_POST['variable'])and then ".. VALUES ('".$var."')"
要在 MySQL 中插入变量,您至少需要对它们进行转义:$var = mysql_real_escape_string($_POST['variable'])然后".. VALUES ('".$var."')"
You should also probably consider using libraries for connecting to MySQL like DOCTRINE: http://www.doctrine-project.org/that handles this for you.
您可能还应该考虑使用库来连接 MySQL,例如DOCTRINE:http: //www.doctrine-project.org/为您处理这个问题。
回答by Riz
mysql_select_db("webuser1", $con);
mysql_query("INSERT INTO users (column 1, column2) VALUES ('$var1', '$var2')");
mysql_close($con);
When not using Apostrophes around values, it is supposed to be non string value.
当不在值周围使用撇号时,它应该是非字符串值。
回答by Thomas
Your variables are not recognized as variables. They are a part of your string.
您的变量不被识别为变量。它们是您字符串的一部分。
Try:
尝试:
mysql_query("INSERT INTO users (column 1, column2) VALUES ('".$var1."', '".$var2."')");
Same for your second problem.
你的第二个问题也是一样。
回答by Benno
Because the POST variables have ' in them, you have to concatenate instead.
因为 POST 变量中包含 ',所以您必须改为连接。
I.E.
IE
mysql_query("INSERT INTO users (column 1, column2) VALUES (".$_POST['value1'].", ".$_POST['value2'].")");
Or
或者
mysql_query("INSERT INTO users (column 1, column2) VALUES ({$_POST['value1']}, {$_POST['value2']})");
It's also a good idea to put quotes around the variables, in case its empty (or a string rather than an integer)
在变量周围加上引号也是一个好主意,以防它为空(或字符串而不是整数)
