Mysql真正转义字符串循环多个变量

发布于 2024-07-30 03:02:54 字数 732 浏览 3 评论 0原文

假设我想插入名称、地址、城市、州、邮政编码值 $name、$address 等......

在插入之前如何在每个变量上运行 mysql_real_escape_string 。必须有一个 foreach 或循环或 while 方法，而不是写出每个变量，对吧？

谢谢您的帮助。

汤姆

，如果我有的话

 $data = array($address, $city, $name);
 array_map('mysql_real_escape_string', $data);

，

$columns = "name, address, city, state, zip";
$count = $dbh->exec("INSERT INTO customer($columns) VALUES ($data)");

我会遇到很多错误。

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'root'@'localhost' (using password: NO) in /Users/tommyscott45/Sites/experiment/result.php on line 23

怎么办？

原文

Say I want to insert into name, address, city, state, zip values $name, $address Etc.....

How can I run mysql_real_escape_string on each of the variables before inserting. There has got to be a foreach or loop or while method instead of writing out each variable right?

Thanks for the help.

Tom

so if I have

 $data = array($address, $city, $name);
 array_map('mysql_real_escape_string', $data);

and

$columns = "name, address, city, state, zip";
$count = $dbh->exec("INSERT INTO customer($columns) VALUES ($data)");

I get a ton of errors.

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'root'@'localhost' (using password: NO) in /Users/tommyscott45/Sites/experiment/result.php on line 23

now what?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

小伙你站住 2024-08-06 03:02:54

尝试调用 mysql_real_escape_string 时发生数据库错误，并且我发现您正在使用 $dbh->exec() 执行查询。这表明您使用 PDO 连接到数据库，因此您应该使用 PDO::quote 而不是 mysql_real_escape_string。

此外，正如其他人已经提到的，解决问题的更好方法是使用准备好的语句和 PDO::prepare。

回复收藏 0 原文

独夜无伴 2024-08-06 03:02:54

你用的是sprintf。

例如，

$query = sprintf("INSERT into 
                  TABLE name = '%s', address = '%s', city = '%s'",
                 mysqli_escape_string($link, $name), 
                 mysqli_escape_string($link, $address), 
                 mysqli_escape_string($link, $city) );

或者这不正是您正在寻找的；避免一遍又一遍地输入“mysqli_escape_string”的方法。

You use sprintf.

For example

$query = sprintf("INSERT into 
                  TABLE name = '%s', address = '%s', city = '%s'",
                 mysqli_escape_string($link, $name), 
                 mysqli_escape_string($link, $address), 
                 mysqli_escape_string($link, $city) );

Or is that not exactly what you were looking for; a way to avoid typing "mysqli_escape_string" over and over again.

回复收藏 0 原文

深者入戏 2024-08-06 03:02:54

这应该有效。

$data = array($address, $city, $name);
array_map('mysql_real_escape_string', $data);

但你真的不应该再使用 mysql 扩展了。查看 PDO 或 mysqli 及其对“准备好的语句”的支持。

This should work.

$data = array($address, $city, $name);
array_map('mysql_real_escape_string', $data);

But you really should not use the mysql extension anymore. Have a look at PDO or mysqli and their support for "prepared statements".

回复收藏 0 原文

秋叶绚丽 2024-08-06 03:02:54

你有几个问题。

首先，您需要将 array_map() 的输出分配给变量，因为它不进行就地转换。然后你需要将它内爆回字符串。

 $data = "'".implode("', '", array_map('mysql_real_escape_string', $data))."'";

更大的问题是您手动组装 SQL，而不是使用数据访问层，数据访问层会获取您想要保存的信息，并使用有关您想要将其存储在何处的知识来组装正确的 SQL 语句，并使用正确的引用和所有。

顺便说一句，这也是建议使用准备好的语句背后的推动力，但仅仅使用准备好的语句只是解决方案的一半，因为您仍然需要组装 SQL 语句。

You have several problems.

First is that you need to assign the output of array_map() to a variable as it doesn't do in-place conversion. Then you need to implode it back to a string.

 $data = "'".implode("', '", array_map('mysql_real_escape_string', $data))."'";

The bigger problem is that you're hand assembling SQL instead of using a data access layer which would take the information you're wanting to save and use its knowledge about where you want to store it to assemble a correct SQL statement, with proper quoting and all.

This is also the impetus behind suggestions to use prepared statements, incidentally, but just using prepared statements is only half of the solution because you would still be assembling SQL statements.

回复收藏 0 原文

~没有更多了~