The problem is that whenever I input a big-ass text in the form of my php page and try to INSERT it through a SQL query into the database, it gives me an error like this:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 'sample title', 'spent the long months of the rainy season shut up in a small room th' at line 1"
The query is this:
$sql = "INSERT INTO `d` (`user_id`, `title`, `message`) VALUES ($user_id, '$topic', '$message')";
The interesting thing is that it gives me no error when I manually insert the values and run the query in phpmyadmin.
解决方案
Use prepared statements:
$db = new PDO(...);
$stmt = $db.prepare("INSERT INTO `d` (`user_id`, `title`, `message`) VALUES ($user_id, :topic, :message)");
// I'm assuming that title is a VARCHAR(50) and message is a VARCHAR(500)
$stmt->bindParam(":topic", $topic, PDO::PARAM_STR, 50);
$stmt->bindParam(":message", $topic, PDO::PARAM_STR, 500);
$stmt->execute();
This places the job of escaping / properly passing data squarely in the hands of the database engine - which is where it belongs. Avoid building SQL strings from user input wherever you can and you'll avoid many potential SQL injection attacks.
6674
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
