在SQL查询中转义特殊字符

I have a SQL Server table with department names in it (I.e. Admissions & Registration, Women's Softball coach) and when you click a link on our page it pulls all employees under that department however when you pull the Women's Softball coach I get an error as below:

PHP Warning: mssql_query() [function.mssql-query]: >message: Line 1: Incorrect syntax near 's'. (severity 15) in >C:\Inetpub\wwwroot\DACC\directory\dept.php on line 179

PHP Warning: mssql_query() [function.mssql-query]: >message: Unclosed quotation mark before the character string ') ORDER BY Lastname'. >>>(severity 15) in C:\Inetpub\wwwroot\DACC\directory\dept.php on line 179

PHP Warning: mssql_query() [function.mssql-query]: >Query failed in C:\Inetpub\wwwroot\DACC\directory\dept.php on line 179

PHP Warning: mssql_query() [function.mssql-query]: message: Line 5: Incorrect syntax near 's'. (severity 15) in >C:\Inetpub\wwwroot\DACC\directory\dept.php on line 195

PHP Warning: mssql_query() [function.mssql-query]: >message: Unclosed quotation mark before the character string ' ORDER BY directory.LastName'. (severity 15) in C:\Inetpub\wwwroot\DACC\directory\dept.php >on line 195

I know this is an issue with escaping special characters but is there a way to do that in the query or do I have to do it in the table?

The code referenced above is here--->

$department = $_GET['dept'];

// This will evaluate to TRUE so the text will be printed.
if (isset($department)) {

 // Send a select query to MSSQL

$query = mssql_query("SELECT * FROM directory WHERE department IN (SELECT id FROM     departments WHERE name='$department') ORDER BY Lastname");

Here is how the query is executed:

   function listDepts() { 

    $query = "SELECT DISTINCT name FROM departments ORDER BY name"; 
    $result = mssql_query($query); 
    echo "<h3>Please select a department:</h3>
"; 
    echo "<ul>
"; 

    for ($i=0; $i<mssql_num_rows($result); $i++) { 
        $info = mssql_fetch_assoc($result); 
        echo "<li><a href=\"dept.php?dept=$info[name]\">$info[name]</a></li>
"; 
    } 

    echo "</ul>

"; 
}

Here is the code that generates the department list.

 function listDepts() {

$query = "SELECT DISTINCT  name FROM     departments ORDER BY     name";
$result = mssql_query($query);

echo "<h3>Please select a department:</h3>
";
echo "<ul>
";

for ($i=0; $i<mssql_num_rows($result); $i++) {
    $info = mssql_fetch_assoc($result);
    echo "<li><a href=\"dept.php?dept=$info[name]\">$info[name]</a></li>
";
}

echo "</ul>

";

 }

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dongqian8265 2012-08-28 14:00
关注
I would strongly suggest that you use prepared statement and then execute it using the variable:

$stmt = $dbh->prepare("SELECT * FROM directory WHERE department IN (SELECT id FROM departments WHERE name=?) ORDER BY Lastname"); if ($stmt->execute(array("Women's Softball coach"))) { while ($row = $stmt->fetch()) { print_r($row); } }

See PHP documentation on prepared statement for more info.

In your specific case, you'd have something like this:

$stmt = $dbh->prepare("SELECT * FROM directory WHERE department IN (SELECT id FROM departments WHERE name=?) ORDER BY Lastname"); for ($i=0; $i<mssql_num_rows($result); $i++) { if ($stmt->execute(array($result))) { $info = $stmt->fetch(); ... }
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

在PHP中的MS SQL查询中转义$字符[重复] php
2016-07-15 10:59

回答 1 已采纳 You can escape the $ and then it won't be read as a variable by PHP. echo "\$test"; Demo: https
如何在SQL查询中转义符号？ php
2011-02-07 17:26

回答 1 已采纳 Use PDO prepared statements to escape special characters … not sprintf or addslashes.
php mysqli sql语法中的转义字符串错误[关闭] mysql php sql
2014-01-28 00:07

回答 2 已采纳 You should be using single quotes, not double quotes. Also, mysqli_real_escape_string() should be
sql注入与转义的php函数代码
2021-01-20 00:57

sql注入: 　正常情况下: 　delete.php?id=3;　$sql = ‘delete from news where id = ‘.$_GET[‘id’];...　有时候从客户端传来的数据，可能恶意包含些特殊的字符，比如单引号、斜杠等，所以需要转义，
为什么添加转义字符可以防止SQL注入？ html5 jquery mysql php python
2021-01-18 15:33

回答 3 已采纳例如输入 1 and true select * from table where id = 1 and true; select * from table where id = '1
避开 mysql 的 SQL 注入实际转义字符串() mysql php sql
2011-04-21 07:56

回答 4 已采纳 Consider the following query: $iId = mysql_real_escape_string("1 OR 1=1"); $sSql = "SELECT *
regexp_replace中的转义字符串 - Postgresql和PHP php postgresql
2013-08-04 13:16

回答 2 已采纳 Found the answer myself. You have to use pg_prepare(): $dbh = pg_connect("dbname=iserv user=sbl
php中sql语句转义字符串,如何使用PHP在SQLServer中转义字符串？
2021-03-23 16:47

ISBN-978Q的博客 UYOU function ms_escape_string($data) { if ( !isset($data) or empty($data) ) return ''; if ( is_numeric($data) ) ...参数化查询是您的朋友：http：/php.net/手册/en/pdo.pread-statements.php
php中的特殊字符转义_php中对特殊字符的转义
2021-03-22 19:42

墨棏感卿的博客 Web 应用安全的基础是对输出进行转义或对特殊字符进行编码，以保证原意不变。例如，O'Reilly 在传送给MySQL 数据库前需要转义成O\'Reilly。单引号前的反斜杠代表单引号是数据本身的一部分，而不是并不是它的本义。我...
php mssql 转义,php如何转义mysql中的特殊字符
2021-05-02 03:39

揍悦的博客 php如何转义mysql中的特殊字符在php中可以通过mysqli_real_escape_string函数转义在mysql中使用的字符串中的特殊字符，其语法是“mysqli_real_escape_string(connection,escapestring);”。推荐：《PHP视频教程》PHP...
php 对特殊字符转义_php特殊字符转义函数
2021-03-23 08:16

胡天宝的博客本文介绍了php中特殊字符转义的相关函数的用法，掌握下php处理特殊字符的方法，有需要的朋友参考下。mysql和php自带很多函数可以处理字符问题,下面给出几个会经常用到的.ps:由于php6开始不支持magic_quotes_gpc,所以...
php中的特殊字符转义_php特殊字符转义详解
2021-03-22 19:42

weixin_39539563的博客 ?>复制代码小提示 htmlspecialchars( )函数与htmlentities( )函数基本...>复制代码 php过滤参数特殊字符防注入 php 过滤非法与特殊字符串的方法 php实例：特殊字符处理函数的例子替换超长文本中的特殊字符的php代码
数据库查询中遭遇特殊字符导致问题的解决方法
2020-09-14 15:12

例如，在PHP中可以使用`mysqli_real_escape_string`或`PDO::quote`来转义特殊字符；在Java中，JDBC的`PreparedStatement`接口允许使用占位符（问号`?`）来避免SQL注入，同时数据库驱动会自动处理转义。总的来说，...
没有解决我的问题, 去提问

悬赏问题

¥15 做个有关计算的小程序
¥15 MPI读取tif文件无法正常给各进程分配路径
¥15 如何用MATLAB实现以下三个公式（有相互嵌套）
¥30 关于#算法#的问题：运用EViews第九版本进行一系列计量经济学的时间数列数据回归分析预测问题求各位帮我解答一下
¥15 setInterval 页面闪烁，怎么解决
¥15 如何让企业微信机器人实现消息汇总整合
¥50 关于#ui#的问题：做yolov8的ui界面出现的问题
¥15 如何用Python爬取各高校教师公开的教育和工作经历
¥15 TLE9879QXA40 电机驱动
¥20 对于工程问题的非线性数学模型进行线性化

在SQL查询中转义特殊字符

1条回答 默认 最新

悬赏问题

1条回答默认最新