我有一张表格,我想在其中匹配fname
和lname
我的查询是
$result = $mysqli->query('SELECT * FROM user_friend_detail WHERE userId = "'.$_SESSION["userId"].'" AND FriendFirstName = "'.mysql_real_escape_string($firstName).'" AND FriendLastName = "'.mysql_real_escape_string($lastName).'" AND FriendStatusCode="verified" AND friendId!='.$fid.' ') or die($mysqli->error);
问题是如果我写名Joh'nny,
,'
的名称不匹配,我该如何解决?
答案 0 :(得分:1)
由于您已经在使用mysqli,因此您也可以使用预准备语句,这样您就不必担心正确转义:
$stmt = $mysqli->prepare('SELECT *
FROM user_friend_detail
WHERE userId = ? AND FriendFirstName = ? AND FriendLastName = ?
AND FriendStatusCode="verified" AND friendId <> ?');
$stmt->bind_param('issi', $_SESSION['userId'], $firstName, $lastName, $fid);
$stmt->execute();
另请参阅:mysqli::prepare()
<强>更新强>
此外,您可能启用了魔术引号,您应该switch it off。