我试图插入一个url到mysql(通过php)列,但无法做到这一点。我得到以下错误
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%2F%2Flocalhost%2Fclient%2Fsave_file.php%3Ffilename%3D9 WHERE queryid='29'' at line 1
代码片段:
$_POST['url1']="//localhost/client/save_file.php?filename=9";
$_POST['query_id']=29;
$var=$_POST['url1'];
$query_id=$_POST['query_id'];
// echo "$var";
$var=rawurlencode($var);
//echo "$var";
$sql1 = "UPDATE query_audio SET query_content=$var WHERE queryid='".$query_id."' ";
if (!mysql_query($sql1)) {
die('Error: ' . mysql_error($connection));
}
你对如何防御SQL注入攻击有一个根本性的误解,你需要使用mysql_real_escape_string()
,而不是urlencode()
。
另外,您忘记引用$var
变量,因此您的查询实际上是:
... SET query_content=http:%2F%2Fetc...
如果没有引号,mysql可以自由地将http:
部分解释为(无效的)字段名。
试
$var = mysql_real_escape_string($_POST['url1']);
$query_id = mysql_real_escape_string($_POSt['query_id']);
$sql = "UDPATE ... SET query_content='$var' WHERE queryid='$query_id';";
^----^-- note these quotes.