I have a mysql class which has a method called query(开发者_如何学编程) which is basically mysql_query(). This method receives the query as the parameter like this:
insert into table set field1 = 'value 1', field2 = 'value 2'
or
select id from table where field1 = 'value 1', field2 like '%value 2%'
This is not a very good practice, of course, because all the values should be first passed through mysql_real_escape_string().
I want to use a regular expression to catch all the patterns where some information is passed to the method, like the bolded sections:
insert into table set field1 = '**value 1**', field2 = '**value 2**'.
The problem is that if I let preg_replace be greedy it would eventually catch:
insert into table set field1 = '**value 1', field2 = 'value 2**'
and if it's not greedy it would catch:
insert into table set field1 = '**value **' 1', field2 = 'value 2' (where filed1 is actually = "value '1".
An option would be to put the values between a delimiter like in the following example, but this does not seem the best method to me:
insert into table set field1 = {{value 1}}, field2 = {{value 2}}
and then just catch all text between "{{" and "}}" and replace it with its mysql_real_escape_string()'ed value.
Is there a way to do this in a more professional way?
ps: sorry for having ** inside the code, I don't know how to bold inside the ticks
Use PDO: http://php.net/manual/en/book.pdo.php
This is a bad idea, because if you were to use }} then now you'll have to escape for the closing }}. You're basically inventing a new syntax to do the exact same thing.
use prepared statements instead.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论