这是mysqlquery在MySQL查询中使用特殊字符抛出异常
SELECT course_id
FROM course_master
WHERE year_id = '6'
AND course_name = ''What is Test?': Perspectives'
当我运行查询,它抛出,因为特殊字符的语法错误problem.Iam使用函数mysql_escape_string逃跑,但它不working.How到转义这些字符
这是mysqlquery在MySQL查询中使用特殊字符抛出异常
SELECT course_id
FROM course_master
WHERE year_id = '6'
AND course_name = ''What is Test?': Perspectives'
当我运行查询,它抛出,因为特殊字符的语法错误problem.Iam使用函数mysql_escape_string逃跑,但它不working.How到转义这些字符
当执行一个查询并且一个值有单引号时,加倍单引号所以不会出错。
SELECT course_id
FROM course_master
WHERE year_id = '6'
AND course_name = '''What is Test?'': Perspectives'
但是如果你在PHP上这样做,请使用PreparedStatement
。这也会阻止从SQL Injection
。下面的文章将告诉你如何使用PHP Extensions.
尝试此查询 -
SELECT course_id
FROM course_master
WHERE year_id = 6
AND course_name = '''What is Test?'': Perspectives'
或使用转义 -
SELECT course_id
FROM course_master
WHERE year_id = 6
AND course_name = '\'What is Test?\': Perspectives'
我使用mysql_esca pe_string来逃脱,但它不工作。
您错了。你只需要格式化字符串值,而不是整个查询
// here are your variables
$year = 6;
$name = "'What is Test?': Perspectives";
// let's format them
$year = intval($year);
$name = mysql_real_escape_string($name);
// and then insert in a query
$sql = "SELECT course_id FROM course_master
WHERE year_id = $year AND course_name = '$name'";
嗨Iam以这种方式使用但不工作$ sql =“select course_id from course_master where year_id ='”。$ year。“'and course_name ='”。$ this-> sanitiseData($ module_name)。“'” ; public data sanitiseData($ data) \t { \t \t $ data = mysql_escape_string($ data); \t \t return $ data; \t} – 2013-02-14 13:22:50
现在我感兴趣的是你如何逃避该字符串...你能提供该代码吗? – Najzero 2013-02-14 13:10:00
请显示实际的PHP代码;没有它,我们不能给你准确的帮助。 – SDC 2013-02-14 13:18:49
您好实际的代码是$ sql =“select course_master from course_master where year_id ='”。$ year。“'and course_name ='”。$ this-> sanitiseData($ course_name)。“'”; $ course_id = $ this - > _ dbAdapter-> fetchOne($ sql); ($ data) public function sanitiseData($ data) { $ data = mysql_escape_string($ data); 返回$ data; } – 2013-02-14 13:28:08