如何在MySQL查询中使用带有单引号的值的数组?
[英]How do I use an array with a value with a single quote in a MySQL query?
问题描述
mysql_query("INSERT INTO objects(objId, objectId, objectCategory, SortOrder, Name) VALUES('{$obj_id}', '{$object_id}', '{$object_category}', '{$sortorder}', 'My " . $objecta['Name'] . "')")or die(mysql_error());
This code fails when $objecta['Name'] has a single quote in it. 
$objecta['Name']中包含单引号时,此代码将失败。 I can't seem to be able to quote everything so that it works even if $objecta['Name'] has a single quote in it. 我似乎无法引用所有内容,即使$objecta['Name']中包含单引号,它也无法正常工作。
1 个解决方案
解决方案1
1 已采纳 2016-12-08 18:38:29
Two things: 两件事情:
1) You should escape your input. 1)您应该转义您的输入。 mysql_real_escape_string($objecta['Name']) This ensures that things like the ' character are escaped, ie \\' which allows the insert to happen. mysql_real_escape_string($objecta['Name'])这样可以确保诸如'字符之类的字符被转义,即\\'允许插入发生。
2) mysql_* extension is deprecated and you should really at least use mysqli_* or pdo or another database driver. 2)不建议使用mysql_*扩展名,您实际上至少应使用mysqli_*或pdo或其他数据库驱动程序。 Using prepared statements in one of these other database drivers accomplishes the same as what I said above. 在这些其他数据库驱动程序之一中使用准备好的语句可以实现与我上面说的相同的操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.