问题描述

我正在使用特定的查询来插入记录.一切顺利.我什至使用选择查询来获取记录.但是我的问题是，如果记录中包含单引号''，那么它将给我这个错误:

I am using a particular query for inserting records. It is going well. I am even fetching records with a select query. But my problem is that, if the record contains single quotes ' ', then it gives me this error:

> NOTE:You have an error in your SQL syntax;
>     check the manual that corresponds to your MySQL server
>     version for the right syntax to use near 'B''' at line 1

SELECT查询为:

$result= mysql_query("SELECT s.name,
                             s.sid as sid,
                             s.category,
                             p.name as pname
                         FROM poet p
                         INNER JOIN song s
                            ON p.pid = s.pid
                         WHERE s.name= '$sid'") or die(mysql_error());

我该怎么做才能跳过引号问题.当我想在记录中插入引号时.

What should I do to skip quotes problem in this. When I want quotes to insert in my records.

推荐答案

您的问题比这严重得多-如果有人输入值'; DROP TABLE poet; --怎么办?您需要使用mysql_real_escape_string()来转义该值，或使用参数化查询(例如，使用PDO).

Your problem is much worse than this -- what if someone enters the value '; DROP TABLE poet; --? You need to use either mysql_real_escape_string() to escape the value, or use parametrized queries (with PDO, for example).

这篇关于如何在PHP中的SQL查询中处理单引号?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！