如何在PHP中的SQL查询中处理单引号? [英] How do I handle single quotes inside a SQL query in PHP?

问题描述

我正在使用特定的查询来插入记录.一切顺利.我什至使用选择查询来获取记录.但是我的问题是，如果记录中包含单引号''，那么它将给我这个错误:

I am using a particular query for inserting records. It is going well. I am even fetching records with a select query. But my problem is that, if the record contains single quotes ' ', then it gives me this error:

> NOTE:You have an error in your SQL syntax; 
>     check the manual that corresponds to your MySQL server 
>     version for the right syntax to use near 'B''' at line 1

SELECT查询为:

$result= mysql_query("SELECT s.name, 
                             s.sid as sid, 
                             s.category, 
                             p.name as pname 
                         FROM poet p 
                         INNER JOIN song s 
                            ON p.pid = s.pid 
                         WHERE s.name= '$sid'") or die(mysql_error());

我该怎么做才能跳过引号问题.当我想在记录中插入引号时.

What should I do to skip quotes problem in this. When I want quotes to insert in my records.

推荐答案

您的问题比这严重得多-如果有人输入值'; DROP TABLE poet; --怎么办?您需要使用mysql_real_escape_string()来转义该值，或使用参数化查询(例如，使用PDO).

Your problem is much worse than this -- what if someone enters the value '; DROP TABLE poet; --? You need to use either mysql_real_escape_string() to escape the value, or use parametrized queries (with PDO, for example).

_{这是2011年，因为大声呐喊.为什么SQL注入仍然是一个普遍的问题?}

这篇关于如何在PHP中的SQL查询中处理单引号?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！