在PostgreSQL中使用单引号插入值
[英]Insert values with single quotation in PostgreSQL
问题描述
I want to run the following query with a single quoted value. 
我想使用单引号值运行以下查询。
INSERT INTO web_camp_keywords (web_id, keyword) VALUES (195, 'abc'hotels')
I just want to add abc'hotels value. 我只想添加abc'hotels值。 I used backslash, but it did not work. 我使用反斜杠,但它没有用。
INSERT INTO web_camp_keywords (web_id, keyword) VALUES (195, 'abc\'hotels')
How can I resolve this? 我该如何解决这个问题?
2 个解决方案
解决方案1
8 已采纳 2012-08-08 05:22:18
You can escape the single quote with another single. 你可以用另一个单一的单引号来逃避。
INSERT INTO web_camp_keywords (web_id, keyword)
VALUES (195, 'abc''hotels')
But personally I think you should be using prepared statements with bind parameters . 但我个人认为你应该使用带有绑定参数的预处理语句 。
Among other things, use of prepared statements with bind parameters is one of the easiest ways to help protect against SQL injection , the biggest source of security holes in web applications. 除此之外,使用带有绑定参数的预准备语句是帮助防止SQL注入的最简单方法之一,这是Web应用程序中安全漏洞的最大来源。
解决方案2
2 2012-08-08 05:58:19
Like Chris Moutray and others mentioned, it would be best if you used pdo and prepared statements. 就像Chris Moutray和其他人提到的那样,如果你使用pdo和预备语句,那将是最好的。 Here is an example on how you could prepare a statement, provide the statement with values and then execute it. 下面是一个关于如何准备语句,为语句提供值然后执行它的示例。 I left out the connection. 我遗漏了连接。
$statement = $pdo->prepare("insert into web_camp_keywords (web_id, keyword) values (:id, :keyword)");
$statement->bindValue(':id', 195);
$statement->bindValue(':keyword', "abc'hotels");
$statement->execute();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.