我制作了这个php程序来访问mysql数据
foreach ($arrayOfID as $ID) {
$IDWhere[]="TB.ID LIKE '" .$ID."'";
//$IDWhereOther[]="Business LIKE '".$ID."'";
// $IDWhereFinalOther1[]=$ID;
$IDWherePhone[]="BusinessID LIKE '".$ID."'";
//$IDWhereURLandImage[]="`Business ID` LIKE '".$ID."'";
$newOutput[$ID]=array();
$copy[$ID]=array();
keyID2[]=$ID;
$IDtoBuilding[]="TB.ID LIKE '".$ID."'";
}
IDWhereFinal=implode(" OR ", $IDWhere);
//$IDWhereFinalOther=implode(" OR ", $IDWhereOther);
//$IDFinalBuilding=implode(" OR ", $IDtoBuilding);
//$query="Select *, Country FROM `tablebusiness` As TB, `tablecity` As TC WHERE (".$IDWhereFinal.") AND TB.City=TC.City";
//$query="Select *, Country, Building.Title FROM `tablebusiness` As TB, `tablecity` As TC, `tablebusiness` As Building WHERE (".$IDWhereFinal.") AND TB.City=TC.City And (Building.ID=TB.Building OR TB.Building=0)";
//$query="Select *, Country, COALESCE(NULL,(select Title from `tablebusiness` As TBuild where TBuild.ID=TB.Building)) as BuildingTitle FROM `tablebusiness` As TB, `tablecity` As TC, `tablebusiness` As Building WHERE (".$IDWhereFinal.") AND TB.City=TC.City";
$query="Select *, Country, (select Title from `tablebusiness` As TBuild where TBuild.ID=TB.Building) as BuildingTitle FROM `tablebusiness` As TB, `tablecity` As TC WHERE TB.City=TC.City and (".$IDWhereFinal.")";
$data = mysql_query($query);
问题是,有时$ID
包含'
我认为应该逃到''
中
但'
可能不是的唯一问题
也许还有其他字符也应该进行编码。
有这样的功能吗?
当然。你必须使用mysql_real_escape_string
。这也有利于安全性,基本上每次在数据库中插入数据时都应该将其放入(除非它不是字符串,否则可以转换为int/foat/etc)
实现这一点的现代方法是使用PHP的PDO扩展和准备好的语句,这些语句可以为您处理正确的转义。所以你的查询会变成类似于这个
Select *, Country, (
select Title from `tablebusiness` As TBuild
where TBuild.ID=TB.Building) as BuildingTitle
FROM `tablebusiness` As TB, `tablecity` As TC
WHERE TB.City=TC.City and (TB.ID LIKE ? OR BusinessID LIKE ?)