在 Codeigniter 中转义 SQL 查询 [英] Escaping SQL queries in Codeigniter

问题描述

我正在使用 CodeIgniter 将一些数据插入到 MySQL 表中.因为我正在使用 INSERT IGNORE INTO 并且不想编辑活动记录类来启用此功能，所以我手动生成 SQL 查询.

I am inserting some data into a MySQL table using CodeIgniter. Because I am using INSERT IGNORE INTO and do not want to edit the active records class to enable this feature, I am generating the SQL query manually.

$this->db->query("INSERT IGNORE INTO my_table(lat, lng, date, type)
                        VALUES ('" . $data['lat'] . "', '" . $data['lng'] . "', '" . $data['date'] . "', '" . $data['type'] . "')");

问题: 当$data['type'] 中的字符串包含单引号时，查询失败.我怎样才能让这些需要转义的字符自动转义，就像使用活动记录时一样?

Problem: The query failed when the string in $data['type'] contained a single quote. How can I make it such that these characters that need to be escaped gets escaped automatically, like when using Active records?

推荐答案

另一种方法是使用自动转义所有值的查询绑定:

Another way is to use Query Binding which automatically escapes all the values:

$sql = "INSERT IGNORE INTO my_table(lat, lng, date, type) VALUES (?,?,?,?);"; 
$this->db->query($sql, array($data['lat'], $data['lng'], $data['date'], $data['type']));

这篇关于在 Codeigniter 中转义 SQL 查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！