[英]How to escape & and ' in mssql and Php?
我可以肯定在這種情況下我需要像preg_replace這樣的東西,但是我不確定是否放它。 我有一個頁面,允許人們搜索員工目錄(PHP和MSSQL)。 他們可以按姓氏,建築物或部門進行搜索。 姓氏和建築物都可以,但是我在三個部門中遇到問題,兩個部門中有一個&(例如Grants&Planning),當您單擊該部門時,它不會返回任何結果,我認為是因為它無法將“&計划”識別為整個字符串的一部分。 我遇到的另一個問題是我有一個部門中有一個'部門,並且拋出錯誤
PHP警告:mssql_query()[function.mssql-query]:消息:第1行:'s'附近的語法不正確。 (嚴重性15)在179行上的C:\\ Inetpub \\ wwwroot \\ DACC \\ directory \\ dept.php中
* PHP警告:mssql_query()[function.mssql-query]:消息:字符串'ORDER BY Lastname'之前的引號引起來。 (嚴重性15)在179行的C:\\ Inetpub \\ wwwroot \\ DACC \\ directory \\ dept.php中*
第179行是這個... $query = mssql_query("SELECT * FROM directory WHERE Displayname = '$department' ORDER BY Lastname");
這是按部門查詢頁面的其余代碼。...如果有人可以幫助我,我將不勝感激! `
$department = $_GET['dept'];
// This will evaluate to TRUE so the text will be printed.
if (isset($department)) {
$query = mssql_query("SELECT * FROM directory WHERE Displayname = '$department' ORDER BY Lastname");//$query = mssql_query("SELECT * FROM directory WHERE department IN (SELECT id FROM departments WHERE name='$department') ORDER BY Lastname");
$query2 = mssql_query(
"SELECT TOP 1 directory.FirstName, directory.Lastname, directory.email,
directory.phone, directory.office, directory.title, directory.displayname, departments.id AS dept_id, departments.name AS dept_name, departments.url AS dept_url
FROM directory
INNER JOIN departments on directory.displayname = departments.name
WHERE directory.displayname = '$department'
ORDER BY directory.LastName");
$numofrows = @mssql_num_rows($query);
// Check if there were any records
if (!mssql_num_rows($query)) {
echo 'No records found';
echo '<br /><a href="/directory/">Go Back</a>';
} else {
while($row1 = mssql_fetch_array($query2))
{
$dept_var = $row1['dept_name'];
$dept_id = $row1['dept_id'];
$dept_url = $row1['dept_url'];
print "<h3><a href=\"$dept_url\">$dept_var</a></h3>";
}
print "<table id=\"directory_table\" width=\"480\">
<tr>
<th>Name</th>
<th>Email</th>
<th>Phone</th>
<th>Office</th>
<th>Title</th>
</tr>";
for($i = 0; $i < $numofrows; $i++)
{
$row = mssql_fetch_array($query);
if($i % 2)
{
print '<tr bgcolor="#ffffff">';
}
else
{
print '<tr bgcolor="#eeeeee">';
}
print "<td>" . $row['Firstname'] . " " . $row['Lastname'] . " </td>";
print "<td><a href=\"mailto:" . $row['email'] . "\">" . $row['email']. "</a> </td>";
print "<td>" . $row['phone'] . " </td>";
print "<td>" . $row['Office'] . " </td>";
print "<td>" . $row['Title'] . " </td>";
print "</tr>";
}
print "</table>";
}
// Free the query result
mssql_free_result($query);
}
else
print "No Search Defined";
?>
編輯以顯示更改可以嘗試以下操作:
$serverName = "localhost"; //serverName\instanceName
$connectionInfo = array( "Database"=>"DACC", "UID"=>"daccweb", "PWD"=>"go");
$conn = sqlsrv_connect( $serverName, $connectionInfo);
if( $conn ) {
echo "Connection established.<br />";
}else{
echo "Connection could not be established.<br />";
die( print_r( sqlsrv_errors(), true));
}
//$conn = sqlsrv_connect("connection string here");
$queryParams = array($department);
//Selector links
print "<a href=\"/directory/\">Go back to main search</a><br />";
print "<u>Search for Employees:</u><br /><br />\n";
print "<br />";
//$officeloc = $_GET['building'];
$department = $_GET['dept'];
// This will evaluate to TRUE so the text will be printed.
if (isset($department)) {
$query = sqlsrv_query($conn, "SELECT * FROM directory WHERE Displayname = ? ORDER BY Lastname", $params);
$query2 = sqlsrv_query($conn, "SELECT TOP 1 directory.FirstName, directory.Lastname, directory.email,
directory.phone, directory.office, directory.title, directory.displayname,
departments.id AS dept_id, departments.name AS dept_name, departments.url AS dept_url
FROM directory
INNER JOIN departments on directory.displayname = departments.name
WHERE directory.displayname = ?
ORDER BY directory.LastName", $params);
新編輯
查詢運行,但不回顯/打印結果$ query = sqlsrv_query($ conn,“ SELECT * FROM directory WHERE Displayname =?ORDER BY Lastname”,$ params);
$query2 = sqlsrv_query($conn, "SELECT TOP 1 directory.FirstName, directory.Lastname, directory.email,
directory.phone, directory.office, directory.title, directory.displayname,
departments.id AS dept_id, departments.name AS dept_name, departments.url AS dept_url
FROM directory
INNER JOIN departments on directory.displayname = departments.name
WHERE directory.displayname = ?
ORDER BY directory.LastName", $params);
$numofrows = @@sqlsrv_has_rows($query);
// Check if there were any records
if (!@sqlsrv_has_rows($query)) {
echo 'No records found';
echo '<br /><a href="/directory/">Go Back</a>';
} else {
while($row1 = sqlsrv_fetch_array($query2))
{
$dept_var = $row1['dept_name'];
$dept_id = $row1['dept_id'];
$dept_url = $row1['dept_url'];
print "<h3><a href=\"$dept_url\">$dept_var</a></h3>";
//echo "</h3><br />";
}
print "<table id=\"directory_table\" width=\"480\">
<tr>
<th>Name</th>
<th>Email</th>
<th>Phone</th>
<th>Office</th>
<th>Title</th>
</tr>";
for($i = 0; $i < $numofrows; $i++)
{
$row = sqlsrv_fetch_array($query);
if($i % 2)
{
print '<tr bgcolor="#ffffff">';
}
else
{
print '<tr bgcolor="#eeeeee">';
}
print "<td>" . $row['Firstname'] . " " . $row['Lastname'] . " </td>";
print "<td><a href=\"mailto:" . $row['email'] . "\">" . $row['email']. "</a> </td>";
print "<td>" . $row['phone'] . " </td>";
print "<td>" . $row['Office'] . " </td>";
print "<td>" . $row['Title'] . " </td>";
print "</tr>";
}
print "</table>";
}
// Free the query result
sqlsrv_free_stmt($query);
}
else
print "No Search Defined";
您可以在PHP和MSSQL中使用SQL參數,看一下:
http://blogs.msdn.com/b/sqlphp/archive/2008/09/30/how-and-why-to-use-parameterized-queries.aspx
您的參數值將自動轉義,無需您進行任何操作。
您需要使用sqlsrv驅動程序,請參見: http ://www.php.net/manual/zh/sqlsrv.setup.php
為了獲得行數,我們還需要指定一些查詢選項。 (請查看http://www.php.net/manual/zh-CN/function.sqlsrv-num-rows.php和http://msdn.microsoft.com/zh-CN/library/hh487160.aspx )
$conn = sqlsrv_connect("connection string here");
$queryParams = array($department);
$queryOptions = array( "Scrollable" => "buffered" );
$query = sqlsrv_query($conn, "SELECT * FROM directory WHERE Displayname = ? ORDER BY Lastname", $queryParams, $queryOptions);
$query2 = sqlsrv_query($conn, "SELECT TOP 1 directory.FirstName, directory.Lastname, directory.email,
directory.phone, directory.office, directory.title, directory.displayname,
departments.id AS dept_id, departments.name AS dept_name, departments.url AS dept_url
FROM directory
INNER JOIN departments on directory.displayname = departments.name
WHERE directory.displayname = ?
ORDER BY directory.LastName", $queryParams, $queryOptions);
$numofrows = sqlsrv_num_rows($query);
請注意,構建數組的順序必須與?的順序匹配?
符號出現在查詢中。 由於您在每個查詢中僅使用一個參數,並且它們相同,因此您只需要構建一個數組。
然后,您可以將所有mssql函數替換為sqlsrv函數,以獲取函數及其用法的列表,請參閱文檔: http ://www.php.net/manual/zh/ref.sqlsrv.php
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.