PHP中是否有一个函数可以为字符串添加引号?
喜欢“’”.str.“’”
这是用于varchars的SQL查询.我搜了一下,没有结果……
我做了以下事情:
$id = "NULL"; $company_name = $_POST['company_name']; $country = $_POST['country']; $chat_language = $_POST['chat_language']; $contact_firstname = $_POST['contact_firstname']; $contact_lastname = $_POST['contact_lastname']; $email = $_POST['email']; $tel_fix = $_POST['tel_fix']; $tel_mob = $_POST['tel_mob']; $address = $_POST['address']; $rating = $_POST['rating']; $company_name = "'".MysqL_real_escape_string(stripslashes($company_name))."'"; $country = "'".MysqL_real_escape_string(stripslashes($country))."'"; $chat_language = "'".MysqL_real_escape_string(stripslashes($chat_language))."'"; $contact_firstname = "'".MysqL_real_escape_string(stripslashes($contact_firstname))."'"; $contact_lastname = "'".MysqL_real_escape_string(stripslashes($contact_lastname))."'"; $email = "'".MysqL_real_escape_string(stripslashes($email))."'"; $tel_fix = "'".MysqL_real_escape_string(stripslashes($tel_fix))."'"; $tel_mob = "'".MysqL_real_escape_string(stripslashes($tel_mob))."'"; $address = "'".MysqL_real_escape_string(stripslashes($address))."'"; $rating = MysqL_real_escape_string(stripslashes($rating)); $array = array($id,$company_name,$country,$chat_language,$contact_firstname,$contact_lastname,$email,$tel_fix,$tel_mob,$address,$rating); $values = implode(",",$array); $query = "insert into COMPANIES values(".$values.");";
首先,我看到你正在使用stripslashes().这意味着你有
magic quotes.我建议把它关掉.
您可能想要做的是将其中的一部分放在一个函数中:
function post($name,$string = true) { $ret = MysqL_real_escape_string(stripslashes($_POST[$name])); return $string ? "'" . $ret . "'" : $ret; }
然后:
$company_name = post('company_name');
但是,所有这些都会减少您略有的样板量.
有些人建议使用PDO或MysqLi,以便您可以使用预准备语句.虽然它们很有用但肯定没有必要.您正在逃避这些字段,因此声称sql注入漏洞(至少在此代码的情况下)是错误的.
最后,我不会以这种方式构造查询.首先,它依赖于公司表中具有特定类型和顺序的列.明确这一点要好得多.我经常这样做:
$name = MysqL_real_escape_string($_POST['name']); // etc $sql = <<<END INSERT INTO companies (name,country,chat_language) VALUES ($name,$language) END;
这足以完成任务.您当然可以使用MysqLi或PDO进行调查,但这不是必需的.