这是mysqlquery
SELECT course_id
FROM course_master
WHERE year_id = '6'
AND course_name = ''What is Test?': Perspectives'
当我运行查询时,由于特殊字符问题,它会抛出语法错误。我正在使用mysql_escape_string进行转义,但它不起作用。如何转义这些字符
我正在使用mysql_escape_string进行转义,但它不起作用。
你用错了。您必须仅格式化字符串值,而不是整个查询
// here are your variables
$year = 6;
$name = "'What is Test?': Perspectives";
// let's format them
$year = intval($year);
$name = mysql_real_escape_string($name);
// and then insert in a query
$sql = "SELECT course_id FROM course_master
WHERE year_id = $year AND course_name = '$name'";
执行查询时,如果值有单引号,请将单引号加倍,这样就不会出错。
SELECT course_id
FROM course_master
WHERE year_id = '6'
AND course_name = '''What is Test?'': Perspectives'
但如果你是在PHP上做这件事,那么就使用PreparedStatement。这也将防止SQL Injection。下面的文章将向您展示如何使用PHP Extensions.
- 如何防止PHP中的SQL注入
尝试此查询-
SELECT course_id
FROM course_master
WHERE year_id = 6
AND course_name = '''What is Test?'': Perspectives'
或使用转义-
SELECT course_id
FROM course_master
WHERE year_id = 6
AND course_name = '''What is Test?'': Perspectives'