duancenxiao0482 2014-09-12 19:45
浏览 50
已采纳

SQL Server替换php变量中的撇号

I'm trying to remove apostrophes within certain fields of a SQL Server query within PHP, and despite the fact that I'm throwing in the extra set of ''s in the string pattern section, it still errors out when an apostrophe is found within the result.. I'm not sure what I'm doing wrong here, any help would be hugely appreciated!

This section of the code loops through each row result from a web scrape and throws it into a new table row for each result. The functionality works, but it errors out and breaks the loop whenever an apostrophe is returned by the query.

for($i = 1, $max = count($table); $i < $max; ++$i) {
$dbrow = $table[$i];
$insquery = "INSERT INTO db.schema.table (EVENT_ID, EVENT_CODE, DESCRIPTION, 
STATUS, SITE_STATUS, CITY, COUNTY, ZIP, STATE, STARTDATE, ENDDATE, YEARS_PRIOR, TOTAL_PRICE,
CUSTODIAN_FEE, ESTIMATED_FEES, FEE_TYPE, SD, PROGRAM, RC_LN, BUF_AMOUNT, LOC_PREM, 
ST_PREM, SNAPSHOT_DATE) VALUES('".$dbrow[0]."','".$dbrow[1]."', replace('".$dbrow[2]."','''', ''),'".$dbrow[3]."','".$dbrow[4]."', replace('".$dbrow[5]."','''', ''), replace('".$dbrow[6]."','''', ''),'".$dbrow[7]."','".$dbrow[8]."','".$dbrow[9]."','".$dbrow[10]."','".$dbrow[11]."','".$dbrow[12]."','".$dbrow[13]."','".$dbrow[14]."','".$dbrow[15]."', replace('".$dbrow[16]."','''', ''), replace('".$dbrow[17]."','''', ''), replace('".$dbrow[18]."','''', ''), replace('".$dbrow[19]."','''', ''),'".$dbrow[20]."','".$dbrow[21]."','".$dbrow[22]."');";
sqlsrv_query($conn, $insquery) or die ("Error in query: $insquery. ".sqlsrv_errors());
echo $insquery . "<br>";
};
  • 写回答

1条回答 默认 最新

  • duanduo7400 2014-09-12 19:59
    关注

    Of course it does. You're trying to replace the apostrophes in SQL itself. Consider this statement:

    replace('don't','''', '')

    How is SQL Server supposed to evaluate that? It opens a string, then after three letters closes that string, then encounters an errant t character resulting in a syntax error.

    The query itself needs to be syntactically valid for SQL to execute it. SQL can't fix syntax errors in its own code. You would need to conduct the replacement for single-quotes in PHP, not in SQL.

    In any event, there's a really neat solution to all of this. Prepared statements. Don't worry about quoting at all, let the engine handle that for you. For example:

    $sql = "INSERT INTO Table_1 (id, data) VALUES (?, ?)";
$params = array(1, "some data");

$stmt = sqlsrv_query($conn, $sql, $params);

    This, of course, has the added benefit of helping to protect you from SQL injection attacks, something to which your current code is very likely vulnerable.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 有关区间dp的问题求解
  • ¥15 多电路系统共用电源的串扰问题
  • ¥15 slam rangenet++配置
  • ¥15 有没有研究水声通信方面的帮我改俩matlab代码
  • ¥15 对于相关问题的求解与代码
  • ¥15 ubuntu子系统密码忘记
  • ¥15 信号傅里叶变换在matlab上遇到的小问题请求帮助
  • ¥15 保护模式-系统加载-段寄存器
  • ¥15 电脑桌面设定一个区域禁止鼠标操作
  • ¥15 求NPF226060磁芯的详细资料