我有以下插入方法:
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
if (isset($_SERVER['QUERY_STRING'])) {
$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
foreach ($_POST['Category'] as $value){
$Full_Description = $_POST['Full_Description'];
$Specification = $_POST['Specification'];
$BriefDescription = $_POST['BriefDescription'];
$MPN = $_POST['MPN'];
$GTIN = $_POST['GTIN'];
$Product = $_POST['Product'];
$Color = $_POST['Color'];
$Model = $_POST['Model'];
$Manufacturer = $_POST['Manufacturer'];
$Category = $_POST['Category'];
$submitted = $_POST['submit'];
$insertSQL = sprintf("INSERT INTO products (Category, Manufacturer, Model, Color, Product, GTIN, MPN, BriefDescription, Specification, Full_Description) VALUES ('$value', '$Manufacturer','$Model','$Color','$Product','$GTIN','$MPN','$BriefDescription','$Specification','$Full_Description')",
GetSQLValueString($_POST['Category'], "text"),
GetSQLValueString($_POST['Manufacturer'], "text"),
GetSQLValueString($_POST['Model'], "text"),
GetSQLValueString($_POST['Color'], "text"),
GetSQLValueString($_POST['Product'], "text"),
GetSQLValueString($_POST['GTIN'], "text"),
GetSQLValueString($_POST['MPN'], "text"),
GetSQLValueString($_POST['BriefDescription'], "text"),
GetSQLValueString($_POST['Specification'], "text"),
GetSQLValueString($_POST['Full_Description'], "text");
mysql_select_db($database_dconn, $dconn);
$Result1 = mysql_query($insertSQL, $dconn) or die(mysql_error());
}}
数据库字段是: Full_Description longtext
插入数据工作正常,直到Full_Description包含&#34; 's&#34;。出现的错误是:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's
我不知道为什么。有人可以提供帮助吗?如果很明显我很抱歉,但我真的很挣扎 欢迎任何帮助
答案 0 :(得分:2)
在插入字符串之前使用mysql_real_escape_string()。
$item = "Zak's and Derick's Laptop";
$escaped_item = mysql_real_escape_string($item, $link);
printf("Escaped string: %s\n", $escaped_item);
在此处查看更多内容:http://php.net/manual/en/function.mysql-real-escape-string.php
答案 1 :(得分:0)
编辑:
重写了我的答案,因为你的问题似乎实际上是你的sprintf用法,而不是你的逃避。你这样使用它:
$insertSQL = sprintf("INSERT INTO products (Category, Manufacturer, Model, Color, Product, GTIN, MPN, BriefDescription, Specification, Full_Description) VALUES ('$value', '$Manufacturer','$Model','$Color','$Product','$GTIN','$MPN','$BriefDescription','$Specification','$Full_Description')",
但要使它工作,你应该像这样使用它:
$insertSQL = sprintf("INSERT INTO products (Category, Manufacturer, Model, Color, Product, GTIN, MPN, BriefDescription, Specification, Full_Description) VALUES ('%s', '%s','%s','%s','%s','%s','%s','%s','%s','%s')",
有关详细信息,请参阅sprintf manual。
(PS。还应该注意,你应该真正使用连接参数到mysql_real_escape_string来考虑字符集,或者使用准备好的语句。但这是一个改进,与你的问题无关。)