Question

我需要帮助才能逃避单引号。我已经检查了很多材料，但我不够精明，无法使用它。我的PHP代码如下。

<?php
    $db = new PDO("mysql:host=localhost;dbname=tool", 'root', 'password');
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT);
    $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);
    $rne = file_get_contents('/path/export.txt');

    $sql = "
        LOAD DATA INFILE '/path/UCBTexport.txt'INTO TABLE tool_tbl FIELDS TERMINATED BY ',' ( Bug_ID, Date_Tool_Ran, Headline, Submitted_By, Create_Modify_Date, Severity, Status );
        UPDATE `tool_tbl` SET `Release_Notes`= '$rne' WHERE id = LAST_INSERT_ID()
        ";

    $stmt = $db->prepare($sql);
    $stmt->execute();
    $i = 0;

    do {
        $i++;
    }
    while ($stmt->nextRowset())
        ;

    $error = $stmt->errorInfo();
    if ($error[0] != "00000")
    {
        echo "Query $i failed: " . $error[2];
    }
    else
    {
        echo "inserted Successfully";
    }
    die();

我的查询都有可能偶尔包含所有类型特殊字符的文本。如何在此代码中使用mysql_real_escape_string来转义特殊字符？

Answer 1

尝试一下它可以帮到你

<?php
        $db = new PDO("mysql:host=localhost;dbname=tool", 'root', 'password');
        $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT);
        $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);
        $rne = file_get_contents('/path/export.txt');

            $sql = <<<SQL
    LOAD DATA INFILE '/path/UCBTexport.txt' INTO TABLE tool_tbl FIELDS TERMINATED BY ',' ( Bug_ID, Date_Tool_Ran, Headline, Submitted_By, Create_Modify_Date, Severity, Status );
    UPDATE `tool_tbl` SET `Release_Notes`= '$rne' WHERE id = LAST_INSERT_ID()
    SQL;

        $stmt = $db->prepare($sql);
        $stmt->execute();
        $i = 0;

           do {
              $i++;
              } 
           while ($stmt->nextRowset());


         $error = $stmt->errorInfo();
          if ($error[0] != "00000")

              { 
            echo "Query $i failed: " . $error[2];
              }
            else
              {
            echo "inserted Successfully";
              }
      die();

Answer 2

尝试替换为此。

$sql = "LOAD DATA INFILE '/path/UCBTexport.txt' INTO TABLE `tool_tbl` FIELDS TERMINATED BY ','( Bug_ID, Date_Tool_Ran, Headline, Submitted_By, Create_Modify_Date, Severity, Status ) ;
SET @last_id = LAST_INSERT_ID();
UPDATE `tool_tbl` SET `Release_Notes`= $rne WHERE id=@last_id";

Answer 3

<?php
    $db = new PDO("mysql:host=localhost;dbname="tool", 'root', 'password');
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT);
    $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);

    $rne = file_get_contents('/path/export.txt');
    $rne = mysql_real_escape_string($rne); >>>> this is the addition that fixed 

       $sql = "
            LOAD DATA INFILE '/path/UCBTexport.txt'INTO TABLE tool_tbl FIELDS TERMINATED BY ',' ( Bug_ID, Date_Tool_Ran, Headline, Subm
            itted_By, Create_Modify_Date, Severity, Status );
            UPDATE `tool_tbl` SET `Release_Notes`= '$rne' WHERE id = LAST_INSERT_ID()
              ";

$stmt = $db->prepare($sql);
$stmt->execute();
$i = 0;

Answer 4

这是一个老问题，但我写了这个答案，因为接受的答案使用了不推荐使用的mysql_real_escape_string（）。

可以使用$ stmt-＆gt; bindParam（＆＃34;：parameter_name＆＃34;，$ php_variable，PDO :: PARAM_STR）;并且不需要逃脱单引号

    $db = new PDO("mysql:host=localhost;dbname=tool", 'root', 'password');
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT);
    $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);
    $rne = file_get_contents('/path/export.txt');

       $sql = "
        LOAD DATA INFILE '/path/UCBTexport.txt'INTO TABLE tool_tbl FIELDS TERMINATED BY ',' ( Bug_ID, Date_Tool_Ran, Headline, Subm
itted_By, Create_Modify_Date, Severity, Status );
UPDATE `tool_tbl` SET `Release_Notes`= :rne WHERE id = LAST_INSERT_ID()
         ";

    $stmt = $db->prepare($sql);
    $stmt->bindParam(":rne", $rne, PDO::PARAM_STR);
    $stmt->execute();

单引号在PHP + MySQL + PDO中转义

4 个答案: