无法匹配包含撇号的结果

时间:2015-11-13 16:14:50

标签: php mysql

我有一个包含一些商业名称的db表。

我需要按名称查询,除非名称包含撇号,否则通常没有问题。

("
SELECT*
FROM t1
WHERE bus_name = '".$busName."' 
")

我已尝试并尝试使用静态值,如下所示:

("
SELECT*
FROM t1
WHERE bus_name = \"Bob's store\" 
")

它有效。尝试:

("
SELECT*
FROM t1
WHERE bus_name = \"".$busName."\" 
")

并没有。我错过了什么?

2 个答案:

答案 0 :(得分:1)

你应该prepare the query,这是一个使用PDO的例子

@Override
public void onNavigationDrawerItemSelected(int position) {
    Bundle charInfo = new Bundle();
    charInfo.putString(NAME, name);
    charInfo.putLong(KEY_ID, keyId);
    Intent characterInfo = new Intent(getBaseContext(), CharacterInfo.class);
    characterInfo.putExtras(charInfo);
    intent = getIntent();
    String vName = intent.getStringExtra(NAME);

    Bundle args = new Bundle();
    args.putString("name", vName);
    CharacterBasic characterBasic = new CharacterBasic();
    characterBasic.setArguments(args);
    Fragment f;

    // TODO: Insert SQLite code, getName
    switch (position) {
        case 0:
            mTitle1 = vName + "'s" + " Character Info";
            f = new CharacterBasic.newInstance(keyId, vName);
            break;
        case 1:
            mTitle1 = vName + "'s" + " Skills & Attrs.";
            f = new Display_SkillsAndAttributes();
            break;
        case 2:
            mTitle1 = vName + "'s" + " Knowledge";
            f = new Knowledge();
            break;
        case 3:
            mTitle1 = vName + "'s" + " Backpack";
            f = new Inventory();
            break;
        case 4:
            mTitle1 = vName + "'s" + " Equipped Items";
            f = new Equipped();
            break;
        case 5:
            mTitle1 = vName + "'s" + " Damage Tracker";
            f = new DamageTracker();
            break;
        case 6:
            mTitle1 = vName + "'s" + " Combat Sheet";
            f = new CombatSheet();
            break;
        case 7:
            mTitle1 = vName + "'s" + " Social Sheet";
            f = new SocialSheet();
            break;
        default:
            mTitle1 = vName;
            f = new CharacterInfo_Default();
            break;
    }

答案 1 :(得分:0)

为此(或任何)案例使用准备好的陈述。

$pdo = new PDO(...);
$stmt = $pdo->prepare('SELECT ... FROM ... WHERE foo = :foo');

$stmt->bindValue(':foo', "foo ' bar");
$stmt->execute();

您当前状态的源容易受到命令注入(SQL注入)的攻击。<​​/ p>