I am using a particular query for inserting records. It is going well. I am even fetching records with a select query. But my problem is that, if the record contains single quotes ' ', then it gives me this error:
> NOTE:You have an error in your SQL syntax;
> check the manual that corresponds to your MySQL server
> version for the right syntax to use near 'B''' at line 1
The SELECT query is:
$result= mysql_query("SELECT s.name,
s.sid as sid,
s.category,
p.name as pname
FROM poet p
INNER JOIN song s
ON p.pid = s.pid
WHERE s.name= '$sid'") or die(mysql_error());
What should I do to skip quotes problem in this. When I want quotes to insert in my records.
解决方案
Your problem is much worse than this -- what if someone enters the value '; DROP TABLE poet; --? You need to use either mysql_real_escape_string() to escape the value, or use parametrized queries (with PDO, for example).
It's 2011, for crying out loud. Why is SQL injection still a widespread problem?
732
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
