这在mysql中:
Column: Title
___________
Children's
代码:
$result = mysql_query("SELECT * FROM bookings_css_multi_lang WHERE model='pjCourse' AND field = 'title' AND content LIKE '%".$searchTerm."%' LIMIT $start_from, $results_per_page");
while ($myrow = mysql_fetch_row($result))
{
答案 0 :(得分:0)
如果确实必须使用过时的mysql扩展名,则必须转义输入以防止出现此类语法错误。使用:
$searchTerm = mysql_real_escape_string($searchTerm);
查询之前。
但是您确实应该转换为mysqli或PDO`,这样您就可以编写参数化查询。在PDO中,您可以这样写:
$stmt = $pdo->prepare("
SELECT *
FROM bookings_css_multi_lang
WHERE model='pjCourse' AND field = 'title'
AND content LIKE CONCAT('%', :search_term, '%')
LIMIT :start_from, :results_per_page");
$stmt->bindParam(':search_term', $searchTerm);
$stmt->bindParam(':start_from', $start_from);
$stmt->bindParam(':results_per_page', $results_per_page);
$stmt->execute();
while($myrow = $stmt->fetch(PDO::FETCH_ASSOC)) {
...
}