dongle7553 2014-05-20 10:18
浏览 24
已采纳

too long

Is it possible to escape a whole query instead of each searched field. For example I know I can do it like this:

$name="O'Connor";
$email="mark.O'Connor@something.com";

$name=mysql_real_escape_string($name);
$email=mysql_real_escape_string($email);

$query =("SELECT * FROM TABLE1 WHERE Name = '$name' OR Email = '$email' ");

// code to run query here

What I am looking for is a way to build my query string like this : 

$query=("SELECT * FROM TABLE1 WHERE Name = '$name' OR Email = '$email' ");
$query=mysql_real_escape_string($query); // Can I escape the whole Query ??

// code to run query here

My reason for asking this Is I have a complex query which is using at around 15 variables from a form and I want to clean them all at once instead of using loads of mysql_real_escape($vairableName)...

Is this possible and can anyone exlplain how I can acheive this

Thanks in advance

  • 写回答

2条回答 默认 最新

  • dongtang6775 2014-05-20 10:26
    关注

    As others have pointed out, using prepared statements is the best way to go. But in case you still want to proceed ahead, you can do something like this:

    foreach($_POST as $key=>$value)
{
   // this will take care of escaping all form elements
   $$key = mysql_real_escape_string($value);
}

    So if your form contains 3 elements whose names are abc, def, and ghi, the above code will create variables named as $abc, $def, and $ghi respectively.

    Then you can use them in query as before:

    $query = "SELECT * FROM TABLE1 WHERE Name = '$abc' OR Email = '$def'";
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 微信小程序协议怎么写
  • ¥15 c语言怎么用printf(“\b \b”)与getch()实现黑框里写入与删除?
  • ¥20 怎么用dlib库的算法识别小麦病虫害
  • ¥15 华为ensp模拟器中S5700交换机在配置过程中老是反复重启
  • ¥15 java写代码遇到问题,求帮助
  • ¥15 uniapp uview http 如何实现统一的请求异常信息提示?
  • ¥15 有了解d3和topogram.js库的吗?有偿请教
  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看