问题
The problem is that whenever I input a big-ass text in the form of my php page and try to INSERT it through a SQL query into the database, it gives me an error like this:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 'sample title', 'spent the long months of the rainy season shut up in a small room th' at line 1"
The query is this:
$sql = "INSERT INTO `d` (`user_id`, `title`, `message`) VALUES ($user_id, '$topic', '$message')";
The interesting thing is that it gives me no error when I manually insert the values and run the query in phpmyadmin.
回答1:
Use prepared statements:
$db = new PDO(...);
$stmt = $db.prepare("INSERT INTO `d` (`user_id`, `title`, `message`) VALUES ($user_id, :topic, :message)");
// I'm assuming that title is a VARCHAR(50) and message is a VARCHAR(500)
$stmt->bindParam(":topic", $topic, PDO::PARAM_STR, 50);
$stmt->bindParam(":message", $topic, PDO::PARAM_STR, 500);
$stmt->execute();
This places the job of escaping / properly passing data squarely in the hands of the database engine - which is where it belongs. Avoid building SQL strings from user input wherever you can and you'll avoid many potential SQL injection attacks.
回答2:
I bet there are single quotes ( ' ) in the string. Escape $topic before using it in your INSERT.
来源:https://stackoverflow.com/questions/11916820/inserting-very-long-string-in-an-sql-query-error