PHP MySQLI准备插入来处理引号和双引号

Question

我有一个准备好的 mysqli 插入语句，但是当我尝试用引号或双引号插入数据时，我收到了这个错误：Prepare failed: (1064) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Ask me in six months.' We don’t have six months to wait," he said. "I have a p' at line 1

当我在尝试插入的文本周围使用mysqli_real_escape_string 时，它会作为空数据插入到我的数据库中。

有没有更好的方法来处理单引号或双引号？还是我的代码有问题？

$connection = new mysqli("localhost", "username", "password", "database");

            if (mysqli_connect_errno()) {
                    printf("Connect failed: %s\n", mysqli_connect_error());
                    exit();
            }

if (!($stmt = $connection->prepare("INSERT INTO `in-the-press` (title, `date`, preview, description, image, detailImage, showDetailImage) VALUES ('" . $title . "', '" . $date . "', '" . $preview . "', '" . $description . "','" . $image . "', '" . $detailImage . "', " . $showDetailedImage . ")"))) {
                        echo "Prepare failed: (" . $connection->errno . ") " . $connection->error;
                }else{

                        $stmt->execute();
                        echo 'Press has been added <br>';
                }

我尝试过使用mysqli_real_escape_string($title), mysqli_real_escape_string($preview) & mysqli_real_escape_string($description)，但就像我说的它会将其作为空字符串插入数据库:(

Answer 1

正如迈克尔在他的 comment 中所说的那样

---

由于您将mysqli 与prepare() 和execute() 一起使用，因此最好使用bind_param()

$stmt = $mysqli->prepare("INSERT INTO `in-the-press` (title, `date`, preview, description, image, detailImage, showDetailImage) VALUES (?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param('sssssss', $title, $date, $preview, $description, $image, $detailImage, $showDetailedImage);


/* execute prepared statement */
$stmt->execute();

printf("%d Row inserted.\n", $stmt->affected_rows);

/* close statement and connection */
$stmt->close();

^{以上只是一个例子，我不知道你的数据库架构/结构是什么样的}

细分：

• s 表示字符串。
• d 表示双倍。

您可以在上面的bind_param 链接中阅读有关类型（i、s、d、b）的更多信息。