如何逃避&和'在mssql和Php?

时间:2012-11-15 15:14:14

标签: php sql-server preg-replace

我很确定在这种情况下我需要像preg_replace这样的东西,但我不确定,如果是这样的话。我有一个页面,允许人们搜索员工目录(PHP和MSSQL)。他们可以按姓氏,建筑或部门搜索。姓氏和建筑都很好,但是我的三个部门有问题,两个有一个&在他们(即授予和计划)中,当你点击该部门时,它不会返回任何结果,我认为这是因为它没有将“& planning”识别为整个字符串的一部分。我遇到的另一个问题是我有一个部门有一个'在其中,它会抛出错误

  • PHP警告:mssql_query()[function.mssql-query]:message:第1行:'s'附近的语法不正确。 (严重级15)在第179行的C:\ Inetpub \ wwwroot \ DACC \ directory \ dept.php

    * PHP警告:mssql_query()[function.mssql-query]:message:字符串'ORDER BY Lastname'前面的未闭合引号。 (严重级15)在第179行的C:\ Inetpub \ wwwroot \ DACC \ directory \ dept.php *

第179行是...... $query = mssql_query("SELECT * FROM directory WHERE Displayname = '$department' ORDER BY Lastname");

以下是部门查询页面的其余代码....如果有人可以帮助我,我会非常感激! `

$department = $_GET['dept'];

 // This will evaluate to TRUE so the text will be printed.
 if (isset($department)) {
 $query = mssql_query("SELECT * FROM directory WHERE Displayname = '$department' ORDER BY Lastname");//$query = mssql_query("SELECT * FROM directory WHERE department IN (SELECT id FROM departments WHERE name='$department') ORDER BY Lastname");
 $query2 = mssql_query(
 "SELECT TOP 1 directory.FirstName, directory.Lastname, directory.email,
 directory.phone, directory.office, directory.title, directory.displayname,                departments.id AS dept_id, departments.name AS dept_name, departments.url AS dept_url
 FROM directory
 INNER JOIN departments on directory.displayname = departments.name
 WHERE directory.displayname = '$department'
 ORDER BY directory.LastName");
 $numofrows = @mssql_num_rows($query);
 // Check if there were any records
 if (!mssql_num_rows($query)) {
echo 'No records found';
echo '<br /><a href="/directory/">Go Back</a>';
 } else {
 while($row1 = mssql_fetch_array($query2))
   {
  $dept_var = $row1['dept_name'];
 $dept_id = $row1['dept_id'];
 $dept_url = $row1['dept_url'];
    print "<h3><a href=\"$dept_url\">$dept_var</a></h3>";
 }
 print "<table id=\"directory_table\" width=\"480\">
 <tr>
 <th>Name</th>
 <th>Email</th>
 <th>Phone</th>
 <th>Office</th>
 <th>Title</th>
 </tr>";    
 for($i = 0; $i < $numofrows; $i++) 
{
$row = mssql_fetch_array($query);
    if($i % 2) 
    { 
    print '<tr bgcolor="#ffffff">';
    } 
else 
    { 
    print '<tr bgcolor="#eeeeee">';
    }

    print "<td>" . $row['Firstname'] . " " . $row['Lastname'] . "&nbsp;&nbsp;</td>";
    print "<td><a href=\"mailto:" . $row['email'] . "\">" . $row['email']. "</a>&nbsp;&nbsp;</td>";
    print "<td>" . $row['phone'] . "&nbsp;&nbsp;</td>";
    print "<td>" . $row['Office'] . "&nbsp;&nbsp;</td>";
    print "<td>" . $row['Title'] . "&nbsp;&nbsp;</td>";
    print "</tr>";
}
 print "</table>";
 }
 // Free the query result
 mssql_free_result($query);
 }
 else
 print "No Search Defined";
 ?>

已编辑以显示更改 好的尝试了这个:

    $serverName = "localhost"; //serverName\instanceName
    $connectionInfo = array( "Database"=>"DACC", "UID"=>"daccweb", "PWD"=>"go");
    $conn = sqlsrv_connect( $serverName, $connectionInfo);

if( $conn ) {
 echo "Connection established.<br />";
}else{
 echo "Connection could not be established.<br />";
 die( print_r( sqlsrv_errors(), true));
}
//$conn = sqlsrv_connect("connection string here");
$queryParams = array($department);


//Selector links
print "<a href=\"/directory/\">Go back to main search</a><br />";
print "<u>Search for Employees:</u><br /><br />\n";

print "<br />";





//$officeloc = $_GET['building'];
$department = $_GET['dept'];

// This will evaluate to TRUE so the text will be printed.
if (isset($department)) {


$query = sqlsrv_query($conn, "SELECT * FROM directory WHERE Displayname = ? ORDER BY Lastname", $params);

$query2 = sqlsrv_query($conn, "SELECT TOP 1 directory.FirstName, directory.Lastname, directory.email,
directory.phone, directory.office, directory.title, directory.displayname,
 departments.id AS dept_id, departments.name AS dept_name, departments.url AS dept_url
 FROM directory
INNER JOIN departments on directory.displayname = departments.name
WHERE directory.displayname = ?
ORDER BY directory.LastName", $params);

NEW EDIT
查询运行但不回显/打印结果     $ query = sqlsrv_query($ conn,“SELECT * FROM directory WHERE Displayname =?ORDER BY Lastname”,$ params); 

$query2 = sqlsrv_query($conn, "SELECT TOP 1 directory.FirstName, directory.Lastname, directory.email,
directory.phone, directory.office, directory.title, directory.displayname,
departments.id AS dept_id, departments.name AS dept_name, departments.url AS dept_url
FROM directory
INNER JOIN departments on directory.displayname = departments.name
WHERE directory.displayname = ?
ORDER BY directory.LastName", $params);


$numofrows = @@sqlsrv_has_rows($query);

// Check if there were any records
if (!@sqlsrv_has_rows($query)) {
echo 'No records found';
echo '<br /><a href="/directory/">Go Back</a>';
} else {



while($row1 = sqlsrv_fetch_array($query2))
  {
    $dept_var = $row1['dept_name'];
    $dept_id = $row1['dept_id'];
    $dept_url = $row1['dept_url'];


   print "<h3><a href=\"$dept_url\">$dept_var</a></h3>";
  //echo "</h3><br />";
    }



    print "<table id=\"directory_table\" width=\"480\">
    <tr>
<th>Name</th>
<th>Email</th>
<th>Phone</th>
<th>Office</th>
<th>Title</th>

</tr>"; 
for($i = 0; $i < $numofrows; $i++) 
{
$row = sqlsrv_fetch_array($query);
    if($i % 2) 
    { 
    print '<tr bgcolor="#ffffff">';
    } 
else 
    { 
    print '<tr bgcolor="#eeeeee">';
    }

    print "<td>" . $row['Firstname'] . " " . $row['Lastname'] . "&nbsp;&nbsp;</td>";
    print "<td><a href=\"mailto:" . $row['email'] . "\">" . $row['email']. "</a>&nbsp;&nbsp;</td>";
    print "<td>" . $row['phone'] . "&nbsp;&nbsp;</td>";
    print "<td>" . $row['Office'] . "&nbsp;&nbsp;</td>";
    print "<td>" . $row['Title'] . "&nbsp;&nbsp;</td>";
    print "</tr>";
}
print "</table>";
}

// Free the query result
sqlsrv_free_stmt($query);
}
else
print "No Search Defined";

1 个答案:

答案 0 :(得分:3)

你可以在PHP和MSSQL中使用SQL参数,看看这个:

http://blogs.msdn.com/b/sqlphp/archive/2008/09/30/how-and-why-to-use-parameterized-queries.aspx

您的参数值将自动转义,无需您做任何工作。

您需要使用sqlsrv驱动程序,请参阅:http://www.php.net/manual/en/sqlsrv.setup.php

为了获得行数,我们还需要指定一些查询选项。 (请查看http://www.php.net/manual/en/function.sqlsrv-num-rows.phphttp://msdn.microsoft.com/en-us/library/hh487160.aspx

$conn = sqlsrv_connect("connection string here");
$queryParams = array($department);
$queryOptions = array( "Scrollable" => "buffered" );
$query = sqlsrv_query($conn, "SELECT * FROM directory WHERE Displayname = ? ORDER BY Lastname", $queryParams, $queryOptions);

$query2 = sqlsrv_query($conn, "SELECT TOP 1 directory.FirstName, directory.Lastname, directory.email,
directory.phone, directory.office, directory.title, directory.displayname,
departments.id AS dept_id, departments.name AS dept_name, departments.url AS dept_url
FROM directory
INNER JOIN departments on directory.displayname = departments.name
WHERE directory.displayname = ?
ORDER BY directory.LastName", $queryParams, $queryOptions);

$numofrows = sqlsrv_num_rows($query);

请注意,构建数组的顺序必须与?符号在查询中出现的顺序一致。由于您在每个查询中只使用一个参数并且它们是相同的,因此您只需构建一个数组。

然后,您将使用sqlsrv函数替换所有mssql函数,以获取函数列表及其用法,请参阅文档:http://www.php.net/manual/en/ref.sqlsrv.php

相关问题
最新问题