如何使用php在SQL查询中转义引号?
[英]How do you escape quotes in a sql query using php?
问题描述
I have a query 
我有一个查询
$sql ="SELECT CustomerID FROM tblCustomer
WHERE EmailAddress = '".addslashes($_POST['username']) ."' AND Password = '".addslashes($_POST['password']) ."'";
// while printing, it will be
SELECT CustomerID FROM tblCustomer WHERE EmailAddress = 'test@ab\'c.com' AND Password = '123'
if we executing this in a mysql server it works, but not in a sql server 如果我们在mysql服务器中执行此操作,则可以,但是在sql服务器中则不能
what is the solution for this? 解决方案是什么? . 。 Iam using sql server IAM使用SQL Server
4 个解决方案
解决方案1
20 已采纳 2010-07-15 05:21:33
addslashes() will escape single quotes with a leading backslash which is valid syntax in MySQL but not in MS SQL Server. addslashes()会在单引号前加上反斜杠,这在MySQL中有效,但在MS SQL Server中无效。 The correct way to escape a single quote in MS SQL Server is with another single quote. 在MS SQL Server中转义单引号的正确方法是使用另一个单引号。 Use mysql_real_escape_string() for MySQL ( mysql_escape_string() has been deprecated). 对MySQL使用mysql_real_escape_string() mysql_escape_string()已弃用mysql_escape_string() )。 Unfortunately, no analogous mssql_ function exists so you'll have to roll your own using str_replace() , preg_replace() or something similar. 不幸的是,不存在类似的mssql_函数,因此您必须使用str_replace() , preg_replace()或类似的东西来滚动自己的函数。 Better yet, use a database neutral abstraction layer such as PDO that supports parameterized queries. 更好的是,使用支持参数化查询的数据库中性抽象层(例如PDO)。
解决方案2
6 2010-07-15 05:26:45
For MySQL, you want to use mysql_real_escape_string . 对于MySQL,您想使用mysql_real_escape_string 。 addslashes does almost the same thing and has fewer letters, but apparently it gets some stuff wrong -- don't use it. addslashes几乎做同样的事情,并且字母更少,但是显然它弄错了一些东西,请不要使用它。
For SQL Server, it's a bit more complicated, as (1) MySQL quotes stuff non-standardly, and (2) i don't see a function made to quote stuff for SQL Server. 对于SQL Server,它有点复杂,因为(1)MySQL非标准地引用内容,(2)我看不到为SQL Server引用内容的函数。 However, the following should work for you... 但是,以下应为您工作...
$escaped_str = str_replace("'", "''", $unsafe_str);
解决方案3
4 2010-07-15 05:18:09
for mysql 对于mysql
USE mysql_real_escape_string 使用mysql_real_escape_string
http://php.net/manual/en/function.mysql-real-escape-string.php http://php.net/manual/zh/function.mysql-real-escape-string.php
like : 喜欢 :
// Query
$query = sprintf("SELECT * FROM tblCustomer WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
for mssql 对于mssql
look on the answers here : 在这里查看答案:
How to escape strings in SQL Server using PHP? 如何使用PHP在SQL Server中转义字符串?
解决方案4
3 2010-07-15 23:06:25
You shouldn't really be building the SQL statement dynamically as it's dangerous (and unnecessary). 您不应该真正地动态构建SQL语句,因为它很危险(也是不必要的)。 The correct thing to do is to use a paramerised query see http://msdn.microsoft.com/en-us/library/cc296201%28SQL.90%29.aspx 正确的做法是使用参数化查询,请参阅http://msdn.microsoft.com/zh-cn/library/cc296201%28SQL.90%29.aspx
$sql ="SELECT CustomerID FROM tblCustomer WHERE EmailAddress = ? AND Password = ?";
$stmt = sqlsrv_query( $conn, $sql, array($_POST['username'], $_POST['password']));
This is much safer and means you don't have to worry about escaping characters. 这样更加安全,这意味着您不必担心转义字符。 Another thing is beware of case sensitive / insensitve comparisons. 另一件事是要注意区分大小写/不区分大小写的比较。 For example if you wanted email address to be case insensitive but password case sensitive use something like: 例如,如果您希望电子邮件地址不区分大小写,但密码区分大小写,则使用类似:
$sql ="SELECT CustomerID FROM tblCustomer WHERE EmailAddress = ? COLLATE SQL_Latin1_General_CP1_CIAI AND Password = ? COLLATE SQL_Latin1_General_CP1_CSAS";
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.