... VALUES ('".mysql_real_escape_string($firstname)."','".mysql_r...
所以,你最終的東西是這樣的:
$query = "INSERT INTO users (firstname,surname,email,password,birthday,
birthmonth,birthyear,houseno,streetname,town,country,postcode,
phonenumber,singer,songwriter,producer,composer,band,instrument,
instrument2,extra,confirmcode) VALUES (
'". mysql_real_escape_string($firstname) ."',
'". mysql_real_escape_string($surname) ."',
'". mysql_real_escape_string($email) ."',
'". mysql_real_escape_string($password) ."',
'". mysql_real_escape_string($birthday) ."',
'". mysql_real_escape_string($birthmonth) ."',
'". mysql_real_escape_string($birthyear) ."',
'". mysql_real_escape_string($houseno) ."',
'". mysql_real_escape_string($streetname) ."',
'". mysql_real_escape_string($town) ."',
'". mysql_real_escape_string($country) ."',
'". mysql_real_escape_string($postcode) ."',
'". mysql_real_escape_string($phonenumber) ."',
'". mysql_real_escape_string($singer) ."',
'". mysql_real_escape_string($songwriter) ."',
'". mysql_real_escape_string($producer) ."',
'". mysql_real_escape_string($composer) ."',
'". mysql_real_escape_string($band) ."',
'". mysql_real_escape_string($instrument) ."',
'". mysql_real_escape_string($instrument2) ."',
'". mysql_real_escape_string($extra) ."',
'". mysql_real_escape_string($rand) ."')";
mysql_query($query) or die (mysql_error());
如果對不起有一個錯字在那裏。但我認爲你明白了。
下面是參數化的查詢可能是如何工作的(另)例如,改編自實例in the manual:
$query = "INSERT INTO users (firstname,surname,email,password,birthday,
birthmonth,birthyear,houseno,streetname,town,country,postcode,
phonenumber,singer,songwriter,producer,composer,band,instrument,
instrument2,extra,confirmcode) VALUES (
:firstname, :surname, :email, :password, :birthday, :birthmonth,
:birthyear, :houseno, :streetname, :town, :country, :postcode, :phonenumber,
:singer, :songwriter, :producer, :composer, :band, :instrument, :instrument2,
:extra, :rand)";
// assume $dbh is your PDO database connection
$sth = $dbh->prepare($query);
$sth->bindParam(':firstname', $firstname);
$sth->bindParam(':surname', $surname);
$sth->bindParam(':email', $email);
$sth->bindParam(':password', $password);
$sth->bindParam(':birthday', $birthday);
// and so on...
$sth->execute();
脫出每個輸入值,而不是整個查詢。更好的是,通過[MySQLi或PDO](http://us3.php.net/mysqlinfo.api.choosing.php)使用參數化查詢,不用擔心逃跑。 – Wiseguy
驗證是否所有的int字段都沒有被''和其他字段包圍 – Lunfel
哦,經典的J-Dawg! –