php - Mysql longtext不会保存某些文本？

Question

我的后端有一个脚本，允许我保存默认的注册电子邮件。它可以处理某些消息，但有些则不行。我将字段设置为“longtext”和“utf8_general_ci”。我当前的代码将保存此消息:

Hello this is a default email from your real estate company. If you have received this email, you have signed up for our website. Hello this is a default email from your real estate company. If you have received this email, you have signed up for our website.

If you are looking for Texas "ranch" houses, you have came to the right place.

但不会保存这个:

The new "space gray" iPhone 5s will join the silver and gold models when Apple's flagship handset goes on sale next Friday, Sept. 20. Last year, the iPhone 5 was available in white and black.

The change means the iPhone 5s is no longer available in true black, with Apple instead opting to change the aluminum back and sides to a lighter shade of gray. The glass back and front of the device remain black.

我不知道为什么它会保存某些消息，然后不保存其他消息......这是我的代码:

管理页面上的 jQuery:

$(function() { 
$( "#defaultemail-ebook-submit" ).click(function() {
    $("#defaultemail-ebook-form").ajaxSubmit({url: 'defaultemails.php', type: 'post', success: alert("Email with ebook has been set!")})
});
});

defaultemails.php:

$defaultemailebook = $_REQUEST['defaultemail-ebook'];

if (isset($_POST['defaultemail-ebook'])) {
mysql_query("UPDATE default_emails SET email_ebook='". $defaultemailebook ."' WHERE id = '1'");

echo $defaultemailebook;
}

每当我提交这些电子邮件时，即使是那些未提交的电子邮件，我总是会收到成功警报...有人知道为什么会发生这种情况吗？

Answer 1

您需要处理提交的文本中可以包含撇号 (') 字符的事实。当您的代码遇到撇号 (') 字符时，会将其视为字符串结尾。

这不仅是未保存文本的问题，而且还容易受到 SQL 注入(inject)攻击。

您需要安全地处理字符串，方法是更改​​ SQL 的执行方式，或者在文本中捕获单引号并进行处理。