我有一个包含一些商业名称的db表。
我需要按名称查询,除非名称包含撇号,否则通常没有问题。
("
SELECT*
FROM t1
WHERE bus_name = '".$busName."'
")
我已尝试并尝试使用静态值,如下所示:
("
SELECT*
FROM t1
WHERE bus_name = \"Bob's store\"
")
它有效。尝试:
("
SELECT*
FROM t1
WHERE bus_name = \"".$busName."\"
")
并没有。我错过了什么?
答案 0 :(得分:1)
你应该prepare the query,这是一个使用PDO的例子
@Override
public void onNavigationDrawerItemSelected(int position) {
Bundle charInfo = new Bundle();
charInfo.putString(NAME, name);
charInfo.putLong(KEY_ID, keyId);
Intent characterInfo = new Intent(getBaseContext(), CharacterInfo.class);
characterInfo.putExtras(charInfo);
intent = getIntent();
String vName = intent.getStringExtra(NAME);
Bundle args = new Bundle();
args.putString("name", vName);
CharacterBasic characterBasic = new CharacterBasic();
characterBasic.setArguments(args);
Fragment f;
// TODO: Insert SQLite code, getName
switch (position) {
case 0:
mTitle1 = vName + "'s" + " Character Info";
f = new CharacterBasic.newInstance(keyId, vName);
break;
case 1:
mTitle1 = vName + "'s" + " Skills & Attrs.";
f = new Display_SkillsAndAttributes();
break;
case 2:
mTitle1 = vName + "'s" + " Knowledge";
f = new Knowledge();
break;
case 3:
mTitle1 = vName + "'s" + " Backpack";
f = new Inventory();
break;
case 4:
mTitle1 = vName + "'s" + " Equipped Items";
f = new Equipped();
break;
case 5:
mTitle1 = vName + "'s" + " Damage Tracker";
f = new DamageTracker();
break;
case 6:
mTitle1 = vName + "'s" + " Combat Sheet";
f = new CombatSheet();
break;
case 7:
mTitle1 = vName + "'s" + " Social Sheet";
f = new SocialSheet();
break;
default:
mTitle1 = vName;
f = new CharacterInfo_Default();
break;
}
答案 1 :(得分:0)
为此(或任何)案例使用准备好的陈述。
$pdo = new PDO(...);
$stmt = $pdo->prepare('SELECT ... FROM ... WHERE foo = :foo');
$stmt->bindValue(':foo', "foo ' bar");
$stmt->execute();
您当前状态的源容易受到命令注入(SQL注入)的攻击。</ p>