使用时,值不会保存在数据库中:撇号 [']
我将数据库整理更改为“ utf8_general_ci ”&列类型为 BLOB 。
addslashes :
<td <?php if($userdepart==0 ) { ?>
contenteditable="true"
onBlur="saveToDatabase(this,'name','<?php echo addslashes($orderrecords[$k]["id"]); ?>')"
<?php } ?>>
<?php echo substr(addslashes($orderrecords[$k]["name"]),0,75); ?>
</td>
我还尝试了 mysqli_real_escape_string
<td <?php if($userdepart==0 ){?>
contenteditable="true"
onBlur="saveToDatabase(this,'name','<?php echo addslashes(mysqli_real_escape_string($mysqli,$orderrecords[$k]["id"])); ?>')"
<?php }?>>
<?php echo addslashes(mysqli_real_escape_string($mysqli,substr($orderrecords[$k]["name"],0,975))); ?>
</td>
现在我真的不能使用预准备语句和参数化查询,因为这仅供公司用户使用。请帮我解决一下......
更新
function saveToDatabase(editableObj,column,id) {
if(column=="image_ready" || column=="ready_to_print" || column=="ready_to_packaging" || column=="ready_to_dispatch"){cvalue=editableObj;}else{var cvalue=$(editableObj).text();}
$.ajax({
url: "editOrder.php",
type: "POST",
data:'column='+column+'&editval='+cvalue+'&id='+id,
success: function(data){
$(editableObj).css("background","#dddddd");
if(column=="image_ready" || column=="ready_to_print" || column=="ready_to_packaging" || column=="ready_to_dispatch"){location.reload();}
}
});
editOrder.php
$sql = "UPDATE do_order set " . $_POST["column"] . " = '".$_POST["editval"]."' WHERE id=".$_POST["id"];
答案 0 :(得分:3)
使用准备好的陈述:
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $firstname, $lastname, $email);
$firstname = "John";
$lastname = "D'''oe";
$email = "john@example.com";
$stmt->execute();