开发者

php mysql special character escape

开发者 https://www.devze.com 2023-02-21 01:59 出处:网络
how to process php vars before trying to execute query? e.g. i am trying to inser开发者_如何学运维t text with \",\' but it query couldn\'t execute?

how to process php vars before trying to execute query? e.g. i am trying to inser开发者_如何学运维t text with ",' but it query couldn't execute? what is the best way to solve this with PDO class?

many thanks


Perhaps PDO::quote is what you are looking for: http://php.net/manual/en/pdo.quote.php


Take a look at both addslashes() and mysql_real_escape_string(). What's happening here is that a ' is a special character, meaning MySQL will treat it as part of it's syntax, instead of treating it as a string like you want. addslashes or mysql_real_escape_string will add a backslash \ before all single and double quotes (and others) to make them not part of the MySQL syntax.


You can use mysql_real_escape_string($string) to escape your incoming string so that ' and " will be escaped.


You should bind your PHP variables, not escape them.

$variable = "''''''''''''''''''";
$sth = $dbh->prepare('SELECT * FROM table WHERE column = ?');
$sth->execute(array($variable));
0

精彩评论

暂无评论...
验证码 换一张
取 消