dtj88302 2015-05-03 20:18
浏览 47
已采纳

如何在MySQL的表单字段中接受撇号

I have a form that accepts a few names and phone numbers and posts them to a PHP script which then inserts those values into a MySQL table. The code (PHP) is pretty straightforward as you can see here:

$sql = "INSERT INTO Contact_table (PHONE, NAME) VALUES ";
for ($i = 0; $i < $arr; ++$i){
    $sql .= "('".$numbers[$i]."', '".$names[$i]."'),";
}
$sql = substr($sql, 0, -1)." ON DUPLICATE KEY UPDATE name = COALESCE(VALUES(name), name);";
$connect = dbconn(PROJHOST,PROJDB,PROJDBUSER,PROJDBPWD);

$query = $connect->query($sql);
$connect = NULL;

And this works perfect except that it refuses to accept any names like O'Hara or D'Souza. I am vaguely aware of PDO's prepared statement having some use in this scenario but I couldn't make it work. What I tried was this:

$query = $connect->prepare($sql);
$query->execute();

Instead of this:

$query = $connect->query($sql);

Any hints? What am I missing?

  • 写回答

1条回答 默认 最新

  • douliao5550 2015-05-04 03:25
    关注

    There are several ways to handle your problem. You can escape your strings using real_escape_string however there, as you suggest better ways. The best one is through prepared statements using either mysqli or PDO.

    Since you mention PDO, which is an excellent approach, here's how to handle it this way:

    The first thing involves running the connection through try and catch and then you run your query with placeholders, and then bind your variables to these placeholders. Here's a simple way of how it works:

    try {
$connect = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
 $stmt = $conn->prepare("INSERT INTO Contact_table (PHONE, NAME) VALUES (:PHONE, :NAME)");
 $stmt->bindParam(':PHONE', $PHONE);
 $stmt->bindParam(':NAME', $NAME);
//then name your variables like so
$PHONE = [whatever your phone number variable(s) is/are equal to];
$NAME = [whatever the NAME variable(s) is/are equal to];
$stmt->execute();
//note the last section can occur within a loop, much like you have above.
catch(PDOException $error)
}
{
echo "Error: " . $error->getMessage();
}
$connect = null;
}

    Note, not only will this allow any fields with special characters such as apostrophes, it will run much faster for large queries, and have the added bonus of being a lot more secure, as it pretty much eliminates most methods of SQL injection.

    You can also accomplish this with mysqli prepared statements, however PDO has the added advantage of being database agnostic, in that there are easy connections to databases other than MySQL.

    Also, you can use the ? method for loosely defined parameters as mentioned in one of the comments, but this also lends itself to being able manipulate these as objects.

    Here's a good reference if you wish to learn more: PHP Prepared Statements

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?
  • ¥15 c++头文件不能识别CDialog
  • ¥15 Excel发现不可读取的内容
  • ¥15 关于#stm32#的问题:CANOpen的PDO同步传输问题