I'm having troubles with an insert query with MySQL. Here's what I want to do:
in one of the fields in my table, I want to insert a bunch of URLs and their respective titles. I build up this query like so:
?content=<title of webpage>%%<url of webpage>%%<title of webpage>%%<url of webpage>%%
and so on, depending how many URLs there are.
The problem is if the URL contains something like "?var=somevalue" then my query breaks there since MySQL will 开发者_如何学运维think that I am declaring a new variable.
How can I achieve this?
I think that you should escape the sequence with a \
If you are using PHP an option is to use the following command (it has multiple forms):
Procedural style
string mysqli_real_escape_string ( mysqli $link , string $escapestr )Object oriented style
string mysqli::escape_string ( string $escapestr ) string mysqli::real_escape_string ( string $escapestr )
Here is how to use placeholders in PHP (which I suspect is the language you're using)
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name);
$stmt->bindParam(2, $value);
$name = 'one';
$value = 1;
$stmt->execute();
I grabbed that from php.net
Placeholders, using prepared statements serve several functions, but one of them is to separate data from code safely so that the problem you're describing goes away.
Quoting from the site mentioned above:
The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论