我有这个查询
$query = "SELECT * FROM customers WHERE customer_name = '{$orders}'";
但是$orders的值只有一个引用('),例如:
$orders = "Carlo's shop";
查询返回错误。
有没有办法处理这种情况?
答案 0 :(得分:2)
使用mysql_real_escape_string()转义单引号。请参阅reference docs。
$orders = mysql_real_escape_string($orders);
$query = "SELECT * FROM customers WHERE customer_name = '$orders'";
将PDO与准备好的陈述一起使用。请参阅reference docs。
$query = $pdo->prepare('SELECT * FROM customers WHERE customer_name= :orders');
$query ->execute(array('orders' => $orders));
mysqli with prepared statements。