duancenxiao0482 2014-09-12 19:45
浏览 50
已采纳

SQL Server替换php变量中的撇号

I'm trying to remove apostrophes within certain fields of a SQL Server query within PHP, and despite the fact that I'm throwing in the extra set of ''s in the string pattern section, it still errors out when an apostrophe is found within the result.. I'm not sure what I'm doing wrong here, any help would be hugely appreciated!

This section of the code loops through each row result from a web scrape and throws it into a new table row for each result. The functionality works, but it errors out and breaks the loop whenever an apostrophe is returned by the query.

for($i = 1, $max = count($table); $i < $max; ++$i) {
$dbrow = $table[$i];
$insquery = "INSERT INTO db.schema.table (EVENT_ID, EVENT_CODE, DESCRIPTION, 
STATUS, SITE_STATUS, CITY, COUNTY, ZIP, STATE, STARTDATE, ENDDATE, YEARS_PRIOR, TOTAL_PRICE,
CUSTODIAN_FEE, ESTIMATED_FEES, FEE_TYPE, SD, PROGRAM, RC_LN, BUF_AMOUNT, LOC_PREM, 
ST_PREM, SNAPSHOT_DATE) VALUES('".$dbrow[0]."','".$dbrow[1]."', replace('".$dbrow[2]."','''', ''),'".$dbrow[3]."','".$dbrow[4]."', replace('".$dbrow[5]."','''', ''), replace('".$dbrow[6]."','''', ''),'".$dbrow[7]."','".$dbrow[8]."','".$dbrow[9]."','".$dbrow[10]."','".$dbrow[11]."','".$dbrow[12]."','".$dbrow[13]."','".$dbrow[14]."','".$dbrow[15]."', replace('".$dbrow[16]."','''', ''), replace('".$dbrow[17]."','''', ''), replace('".$dbrow[18]."','''', ''), replace('".$dbrow[19]."','''', ''),'".$dbrow[20]."','".$dbrow[21]."','".$dbrow[22]."');";
sqlsrv_query($conn, $insquery) or die ("Error in query: $insquery. ".sqlsrv_errors());
echo $insquery . "<br>";
};
  • 写回答

1条回答 默认 最新

  • duanduo7400 2014-09-12 19:59
    关注

    Of course it does. You're trying to replace the apostrophes in SQL itself. Consider this statement:

    replace('don't','''', '')

    How is SQL Server supposed to evaluate that? It opens a string, then after three letters closes that string, then encounters an errant t character resulting in a syntax error.

    The query itself needs to be syntactically valid for SQL to execute it. SQL can't fix syntax errors in its own code. You would need to conduct the replacement for single-quotes in PHP, not in SQL.

    In any event, there's a really neat solution to all of this. Prepared statements. Don't worry about quoting at all, let the engine handle that for you. For example:

    $sql = "INSERT INTO Table_1 (id, data) VALUES (?, ?)";
$params = array(1, "some data");

$stmt = sqlsrv_query($conn, $sql, $params);

    This, of course, has the added benefit of helping to protect you from SQL injection attacks, something to which your current code is very likely vulnerable.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 chaquopy python 安卓
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 有没有帮写代码做实验仿真的
  • ¥15 報錯:Person is not mapped,如何解決?
  • ¥30 vmware exsi重置后登不上
  • ¥15 易盾点选的cb参数怎么解啊
  • ¥15 MATLAB运行显示错误,如何解决?
  • ¥15 c++头文件不能识别CDialog
  • ¥15 Excel发现不可读取的内容
  • ¥15 关于#stm32#的问题:CANOpen的PDO同步传输问题