匹配数据库中的名称

时间:2013-12-17 20:02:21

标签: php mysql string mysql-error-1064 mysql-escape-string

我有一张表格,我想在其中匹配fnamelname

我的查询是

$result = $mysqli->query('SELECT * FROM user_friend_detail WHERE userId = "'.$_SESSION["userId"].'" AND FriendFirstName = "'.mysql_real_escape_string($firstName).'" AND FriendLastName = "'.mysql_real_escape_string($lastName).'"   AND   FriendStatusCode="verified" AND friendId!='.$fid.' ')  or die($mysqli->error);

问题是如果我写名Joh'nny,'的名称不匹配,我该如何解决?

1 个答案:

答案 0 :(得分:1)

由于您已经在使用mysqli,因此您也可以使用预准备语句,这样您就不必担心正确转义:

$stmt = $mysqli->prepare('SELECT * 
    FROM user_friend_detail 
    WHERE userId = ? AND FriendFirstName = ? AND FriendLastName = ?   
      AND   FriendStatusCode="verified" AND friendId <> ?');

$stmt->bind_param('issi', $_SESSION['userId'], $firstName, $lastName, $fid);
$stmt->execute();

另请参阅:mysqli::prepare()

<强>更新

此外,您可能启用了魔术引号,您应该switch it off