发表新帖
发表新帖

Store HTML into MySQL database

后端 未结
关注
4 592
慢半拍i
慢半拍i 2020-12-10 09:41

I\'m trying to store a String which contains HTML in a MySQL database using Longtext data type. But it always says \"You have an error in your SQL

相关标签:
4条回答
  • 感动是毒
    2020-12-10 10:23

    Try using mysql_real_escape_string function on the string you want to store. It is the easiest way.

    0 讨论(0)
  • 伪装坚强ぢ
    2020-12-10 10:27

    You need to escape a string before inserting it into database.

    0 讨论(0)
  • 执念已碎
    2020-12-10 10:34

    Strings in a SQL query are -usually- surrounded by singlequotes. E.g.

    INSERT INTO tbl (html) VALUES ('html');

    But if the HTML string itself contains a singlequote as well, it would break the SQL query:

    INSERT INTO tbl (html) VALUES ('<form onsubmit="validate('foo', 'bar')">');

    You already see it in the syntax highlighter, the SQL value ends right before foo and the SQL interpreter can't understand what comes thereafter. SQL Syntax Error!

    But that's not the only, it also puts the doors wide open for SQL injections (examples here).

    You'll really need to sanitize the SQL during constructing the SQL query. How to do it depends on the programming language you're using to execute the SQL. If it is for example PHP, you'll need mysql_real_escape_string():

    $sql = "INSERT INTO tbl (html) VALUES ('" . mysql_real_escape_string($html) . "')";

    An alternative in PHP is using prepared statements, it will handle SQL escaping for you.

    If you're using Java (JDBC), then you need PreparedStatement:

    String sql = "INSERT INTO tbl (html) VALUES (?)";
preparedStatement = connection.prepareStatement(sql);
preparedStatement.setString(1, html);

    Update: it turns out that you're actually using Java. You'll need to change the code as follows:

    String sql = "INSERT INTO website (URL, phishing, source_code, active) VALUES (?, ?, ?, ?)";
preparedStatement = connection.prepareStatement(sql);
preparedStatement.setString(1, URL);
preparedStatement.setString(2, phishingState);
preparedStatement.setString(3, sourceCode);
preparedStatement.setString(4, webSiteState);
preparedStatement.executeUpdate();

    Don't forget to handle JDBC resources properly. You may find this article useful to get some insights how to do basic JDBC stuff the proper way. Hope this helps.

    0 讨论(0)
  • 悲哀的现实
    2020-12-10 10:46

    Difficult to say without seeing the query. Can you post it?

    I'm presuming there's some part of the html string that needs escaping, which maybe you missed?

    0 讨论(0)
 看不清?
提交回复
热议问题