在PHP中,如何在插入MySQL表之前转义字符串中的单引号?
[英]In PHP, how can I escape single quotes in my string before inserting into a MySQL table?
问题描述
I have a lot of text to insert into a MySQL table using PHP. 
我有很多文本可以使用PHP插入MySQL表中。 Part of the text looks like this example: 文本的一部分类似于以下示例:
Yes, this is 'great'!
To fill this into an SQL Statement, I need to escape the ' . 要将其填充到SQL语句中,我需要对'进行转义。
I'm using an ereg-replace $text=mb_ereg_replace("'","\\\\'", $text); 我正在使用ereg-replace $text=mb_ereg_replace("'","\\\\'", $text); to make the following work: 使以下工作:
$sql="insert into mytable (msg) values ('".$text."')";
Now I found out that there is also another text-style, where I have to save to MySQL something like this: 现在,我发现还有另一种文本样式,必须在其中保存如下内容:
As you can see the \' world\' is a "disc"!
So I tried adding more mb_ereg_replace like this: 因此,我尝试添加更多mb_ereg_replace,如下所示:
$text=mb_ereg_replace("'","\\'", $text);
$text=mb_ereg_replace("\\","\\\\", $text);
But this does not work, I just get the error message: PHP Warning: mb_ereg_replace(): mbregex compile err: end pattern at escape in [...] 但这不起作用,我只收到错误消息: PHP Warning: mb_ereg_replace(): mbregex compile err: end pattern at escape in [...]
What causes this? 是什么原因造成的? I probably made some mistake, but can't find it! 我可能犯了一些错误,但找不到它!
Thank you for any kind of help. 谢谢您的帮助。
2 个解决方案
解决方案1
2 已采纳 2011-10-14 11:13:36
Use mysql_real_escape_string to escape your strings. 使用mysql_real_escape_string转义您的字符串。
$text = mysql_real_escape_string($text);
Or better, use PDO and parameterized queries. 更好的是使用PDO和参数化查询。
解决方案2
1 2015-04-29 11:15:13
There's a much better way, and you won't need to worry about escaping your strings ever again. 有一种更好的方法,您无需担心再次逃脱字符串的麻烦。 Using prepared statements in mysqli or PDO will both make large queries (ones with many rows) run much faster, they are secure, you don't have to worry about (most types of) SQL injection and they are easy to learn. 在mysqli或PDO使用准备好的语句将使大型查询(具有多行的查询)运行得更快,它们是安全的,您不必担心(大多数类型的)SQL注入并且它们很容易学习。 the strings will just be accepted as is into your database without the risk of breaking your code. 字符串将被原样接受到您的数据库中,而不会破坏代码。
Here's an example with mysqli : 这是mysqli的示例:
$conn = new mysqli($servername, $username, $password, $dbname);
$stmt = $conn->prepare("INSERT INTO table (columnname) VALUES (?)");
$stmt->bind_param("s", $text);
$stmt->execute();
$stmt->close();
Basicallly, by binding the parameters before it goes in, it just accepts any string the way you create it, and there's no need to escape anything.' 基本上,通过在传入参数之前对其进行绑定,它只接受您创建它时所接受的任何字符串,而无需进行任何转义。
Here's the same thing using PDO. 使用PDO也是一样。 This does essentially the same thing but has the advantage of both working with multiple different database types (such as for instance Oracle or PostgreSQL) and also lends itself to some nifty modification due to the classes associated. 这本质上是做相同的事情,但是具有既可以使用多种不同的数据库类型(例如Oracle或PostgreSQL)的优点,又由于相关的类而使其自身进行了一些巧妙的修改。
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $conn->prepare("INSERT INTO table (columname)
VALUES (:text)");
$stmt->bindParam(':text', $text);
$stmt->execute();
catch(PDOException $e)
{
echo "Oops, didn't work: " . $e->getMessage();
}
$conn = null;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.