一切都很好,但当我扭曲插入类似它是男人的不是吗就像这个问题。
$Query = "INSERT INTO `9154804_data` (`Parent`, `Name`)
VALUES ($Section, $inputdata);";
$InsertData = $mysqli->query($Query);
if ($InsertData){
$InsertID = $mysqli->insert_id;
$Return['Success'] = "Successfully added.";
}else{
$Return['Error'] = "Something went wrong!";
}
您应该转义特殊字符。
使用mysqli_real_escape_string
可以做到这一点。
然后,您必须将变量包装在单引号中,以便将它们识别为字符串。
既然您已经在使用mysqli
,为什么不更进一步,使用准备好的语句来缓解问题并帮助防止sql注入呢?
$mysqli = new mysqli( $dbhost, $dbuser, $dbpwd, $dbname );
$sql='insert into `9154804_data` (`parent`, `name`) values (?, ?);';
$stmt=$mysqli->prepare( $sql );
$stmt->bind_params('ss', $Section, $inputdata );
$res=$stmt->execute();
if( $res ){
$InsertID = $mysqli->insert_id;
$Return['Success'] = "Successfully added.";
} else {
$Return['Error'] = "Something went wrong!";
}
$mysqli->close();
$Section = $mysqli->real_escape_string($Section);
$inputdata = $mysqli->real_escape_string($inputdata);
$Query = "INSERT INTO `9154804_data` (`Parent`, `Name`)
VALUES ($Section, $inputdata)";
$InsertData = $mysqli->query($Query);
if ($InsertData){
$InsertID = $mysqli->insert_id;
$Return['Success'] = "Successfully added.";
}else{
$Return['Error'] = "Something went wrong!";
}
参考http://php.net/manual/en/mysqli.real-escape-string.php
http://www.w3schools.com/php/func_mysqli_real_escape_string.asp
如果要插入字符串值,则必须将变量引为字符串并移除从查询结束
$Query = "INSERT INTO `9154804_data` (`Parent`, `Name`)
VALUES ('$Section', '$inputdata')";
$InsertData = $mysqli->query($Query);
if ($InsertData){
$InsertID = $mysqli->insert_id;
$Return['Success'] = "Successfully added.";
}else{
$Return['Error'] = "Something went wrong!";
}