theres single quotes using in
theres单引号使用in
$bio = "$user->description";
inserting DB like this;
像这样插入DB;
<?
$sql = "insert into yyy (id, twitterid, twitterkullanici, tweetsayisi, takipettigi, takipeden, nerden, bio, profilresmi, ismi) values ('', '$id', '$twk', '$tws', '$tkpettigi', '$tkpeden', '$nerden', '$bio', '$img', '$isim')";
$ak = mysql_query("select * from yyy where twitterid = '$id'");
if (mysql_num_rows($ak) == 0) {
$sonuc = mysql_query($sql) or die(mysql_error());
echo "ciciş listesine eklendin :)";
}
elseif (mysql_num_rows($ak) == 1) {
$sonuc = "zaten ciciş olarak eklenmişsin. ikinci kere eklemeye ne gerek var :)";
}
?>
how can i mysql_real_escape_string the $bio correctly?
我怎么能正确地使用$ bio的mysql_real_escape_string?
2 个解决方案
#1
2
Make sure you establish a connection to your MySQL database first.
确保首先建立与MySQL数据库的连接。
$sql = "insert into yyy (id, twitterid, twitterkullanici, tweetsayisi, takipettigi, takipeden, nerden, bio, profilresmi, ismi) values ('', '$id', '$twk', '$tws', '$tkpettigi', '$tkpeden', '$nerden', '" . mysql_real_escape_string($bio) . "', '$img', '$isim')";
FYI, this could have easily been found with a Google search or using the PHP documention.
仅供参考,这可以通过Google搜索或使用PHP文档轻松找到。
Also, you should use this for any strings and/or user submitted data. Not just select fields.
此外,您应该将此用于任何字符串和/或用户提交的数据。不只是选择字段。
#2
2
You don't. Start using parameterized queries with mysqli or better, PDO
你没有。开始使用mysqli或更好的PDO参数化查询
Example from the php doc with PDO :
来自PDO的php doc示例:
<?php
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
// insert one row
$name = 'one';
$value = 1;
$stmt->execute();
// insert another row with different values
$name = 'two';
$value = 2;
$stmt->execute();
?>
#1
2
Make sure you establish a connection to your MySQL database first.
确保首先建立与MySQL数据库的连接。
$sql = "insert into yyy (id, twitterid, twitterkullanici, tweetsayisi, takipettigi, takipeden, nerden, bio, profilresmi, ismi) values ('', '$id', '$twk', '$tws', '$tkpettigi', '$tkpeden', '$nerden', '" . mysql_real_escape_string($bio) . "', '$img', '$isim')";
FYI, this could have easily been found with a Google search or using the PHP documention.
仅供参考,这可以通过Google搜索或使用PHP文档轻松找到。
Also, you should use this for any strings and/or user submitted data. Not just select fields.
此外,您应该将此用于任何字符串和/或用户提交的数据。不只是选择字段。
#2
2
You don't. Start using parameterized queries with mysqli or better, PDO
你没有。开始使用mysqli或更好的PDO参数化查询
Example from the php doc with PDO :
来自PDO的php doc示例:
<?php
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
// insert one row
$name = 'one';
$value = 1;
$stmt->execute();
// insert another row with different values
$name = 'two';
$value = 2;
$stmt->execute();
?>