如何使用MySQLi查询其中包含撇号的列

I'm using a php MySQLi class to be more secure that MySQL, but I have a problem.

I have a column of data which contains apostrophes in it. I am comparing the column against a variable that has NO apostrophes, it's a clean string, from my url. In my old code I could easily just do a Replace(category_name, '''', '') in the SQL statement, and apostrophes wouldn't become a factor.

If I throw this into phpmyadmin, it works:

SELECT DISTINCT merchant_category
FROM products
WHERE Replace( category_name, '''', '' ) = 'childrens accessories'
ORDER BY merchant_category

But with MySQLi this is a real problem, as it won't parse them:

        $params = array();
    $params[0] = "Replace(category_name, '''', '')";
    $params[1] = $this->db->escape($this->cleanDBValue(requestQS("cat1")));

    //print_r($params);

    $rs = $this->db->rawQuery("SELECT DISTINCT merchant_category FROM products WHERE ? = ? ORDER BY merchant_category ", $params);

The data I'm trying to match with the query is:

children's accessories

And I'm not getting any results. How can I get round this?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dongzongpeng6474 2013-01-30 20:24
关注
There are several flaws in your code.

You can bind data literals only. Not identifiers. Not Mysql functions. Not various SQL parts. But data literals only.

The way you did it with your old code is awful. Instead of properly escaping your input data, you "escaped" data that is already in the database.

So, you have to get rid of both these things and make your query as simple as

$param = str_replace('-',' ',$_GET['cat1']); //yes, I don't trust your functions $sql = "SELECT DISTINCT merchant_category FROM products WHERE category_name = ? ORDER BY merchant_category"; $rs = $this->db->rawQuery($sql, array($param));

if it won't work - debug it. But you have to make it work this way only. Without replaces and stuff.

Update:
I got it.
You're trying to match URL slugs against category names.
That's wrong way.
Add another field to your table, contains exact slug from the URL.
And then match this one.
Otherwise you'll be in constant trouble.
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

如何使用MySQLi查询其中包含撇号的列 mysql php
2013-01-30 19:50

回答 1 已采纳 There are several flaws in your code. You can bind data literals only. Not identifiers. Not M
PHP Mysqli查询更新无法使用变量 php
2016-08-06 00:28

回答 1 已采纳 It seems like you're trying to set the value in a column called "january" to zero for all rows. Is
使用mysqli prepare查询数组 mysql php
2018-03-03 00:44

回答 1 已采纳 ... "which works fine" ... Are we sure that it works fine? what does $query_packs_for_date_range
php+mysqli使用面向对象方式查询数据库实例
2020-10-24 19:20

主要介绍了php+mysqli使用面向对象方式查询数据库的方法,实例分析了mysqli对象的创建、连接、查询及返回结果、释放资源等技巧,需要的朋友可以参考下
使用mysqli查询失败 mysql php sql
2015-01-05 02:16

回答 1 已采纳 character is a reserved keyword. If you want to name a column identiofier with it you must wrap it
如何使用mysqli查询绑定params php
2015-11-12 17:33

回答 1 已采纳 You need to store the result set for MySQLi prepared statements. Adjust your code as follows: //
Mysqli查询使用$ _get，其中缺少值[重复] php sql
2016-06-10 20:37

回答 3 已采纳 You can either create 2 queries, or just one with some variables. $rent = $_GET['rent']; $rent_op
php+mysqli使用预处理技术进行数据库查询的方法
2020-10-24 19:36

主要介绍了php+mysqli使用预处理技术进行数据库查询的方法,实例分析了php+mysqli预处理技术的使用技巧,需要的朋友可以参考下
使用MySQLI获取列并转换为数组[duplicate] mysql php
2017-02-07 17:21

回答 1 已采纳 Try something like this: $query = "SELECT Desired_column FROM Table_Name"; $results = mysqli_quer
在计算日期时正确使用PHP和MySQLi查询 mysql php
2017-05-01 01:04

回答 1 已采纳 Set your dates to be ISO-8601 dates, YYYY-MM-DD in a DATE column. You cannot compare values like t
PHP：使用mysqli查询检查行是否存在 php
2013-03-31 13:08

回答 2 已采纳 This is always going to return FALSE (assuming the query successfully executes): if ($stmt->ex
PHP使用mysqli同时执行多条sql查询语句的实例
2021-01-20 08:24

之前我们有介绍过如何在PHP5中使用mysqli的prepare操作数据库，使用mysqli更是支持多查询特性，请看下面这段php代码： <?php $mysqli = new mysqli(localhost,root,,123456); $mysqli->query(set names 'utf8');...
MySQL SSH控制台正确运行子查询，但mysqli为子查询列返回零 mysql php
2018-05-31 22:42

回答 1 已采纳 without specifying the table source for a variable when joins are in play you can get unexpected r
php mysqli查询语句返回值类型实例分析
2020-10-22 00:32

主要介绍了php mysqli查询语句返回值类型,结合实例形式分析了php+mysqli常用的查询、插入语句的使用与返回值类型,需要的朋友可以参考下
php用mysqli从数据库中查询,在PHP中使用Mysqli操作数据库
2021-04-27 02:07

嘉实体育的博客 PHP的 mysqli 扩展提供了其先行版本的所有功能，此外，由于 MySQL 已经是一个具有完整特性的数据库服务器，这为PHP 又添加了一些新特性。...与 mysqli 几乎所有的特性一样，这一点可以使用面向...
php简单解析mysqli查询结果的方法(2种方法)
2020-10-22 00:50

主要介绍了php简单解析mysqli查询结果的方法,结合实例形式简单列举了查询结果存入对象与数组的两种实现方法,需要的朋友可以参考下
php使用mysqli查询数据_PHP mysqli query 链接数据库和查询实例
2021-03-22 19:05

青楚的小世界的博客 mysql_connect()已经被弃用了，使用时会出现如下错误Deprecated:mysql_connect():Themysqlextensionisdeprecatedandwillberemovedinthefuture:usemysqliorPDOinsteadin下面介绍phpmysqliquery链接数据库和查询实例$...
php+mysqli批量查询多张表数据的方法
2020-10-24 19:18

主要介绍了php+mysqli批量查询多张表数据的方法,涉及multi_query、store_result及more_results等函数的使用技巧,需要的朋友可以参考下
mysqli多查询特性实现多条sql语句查询
2020-09-10 23:32

mysqli相对于mysql有很多优势,mysqli连接数据库和mysqli预处理prepare使用,不仅如此，mysqli更是支持多查询特性
没有解决我的问题, 去提问

悬赏问题

¥50 potsgresql15备份问题
¥15 Mac系统vs code使用phpstudy如何配置debug来调试php
¥15 目前主流的音乐软件，像网易云音乐，QQ音乐他们的前端和后台部分是用的什么技术实现的?求解！
¥60 pb数据库修改与连接
¥15 spss统计中二分类变量和有序变量的相关性分析可以用kendall相关分析吗？
¥15 拟通过pc下指令到安卓系统，如果追求响应速度，尽可能无延迟，是不是用安卓模拟器会优于实体的安卓手机？如果是，可以快多少毫秒？
¥20 神经网络Sequential name=sequential, built=False
¥16 Qphython 用xlrd读取excel报错
¥15 单片机学习顺序问题！！
¥15 ikuai客户端多拨vpn，重启总是有个别重拨不上

如何使用MySQLi查询其中包含撇号的列

1条回答 默认 最新

悬赏问题

1条回答默认最新