postgresql 引用问题
$url = "What's up with "You doing this"";
$q = sprintf ("update user set url='%s'",$url);
pg_query ($db_conn, $q)
我想按照用户的意愿将所有内容插入数据库。我不想逃避任何事情。由于引号,上面的内容对我来说会失败。我知道单引号必须围绕 postgresql 字符串 (url='%s')。由于我的网址字符串中有双引号,因此查询不会更新。我确信我可以对所有双引号进行字符串替换并将它们设为单引号,但如果用户确实想要双引号怎么办?而且我不能使用字符串替换来放置反斜杠,因为根据 postgresql 文档,斜杠将很快被弃用(http://www.postgresql.org/docs/8.1/interactive/sql-syntax.html),而且这与插入相反仅用户输入的内容。
人们建议我做什么?
$url = "What's up with "You doing this"";
$q = sprintf ("update user set url='%s'",$url);
pg_query ($db_conn, $q)
I want to insert everything into the database exactly as the user wants. I don't want to escape anything. The above would fail for me because of the quotes. I know single quotes have to go around the postgresql string (url='%s'). Since there are double quotes in my url string the query will not update because of it. I'm sure I could do a string replace for all double quotes and make them single quotes but what if the user really wants double quotes. And I cannot use string replace to put a backslash because according to the postgresql docs the slash will be deprecated soon (http://www.postgresql.org/docs/8.1/interactive/sql-syntax.html) plus that goes against inserting only what the user inputted.
What do people suggest I do?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
使用 pg_escape_string 转义字符串中的引号字符。
Use pg_escape_string to escape quote characters in your string.
使用参数化查询:
Use parametrized queries:
像这样在文本中转义双引号
escape your double quotes in the text like this