我有这个查询
$query = "SELECT * FROM customers WHERE customer_name = '{$orders}'";
但是$orders
的值只有一个引用(')
,例如:
$orders = "Carlo's shop";
查询返回错误。
有没有办法处理这种情况?
答案 0 :(得分:2)
使用mysql_real_escape_string()
转义单引号。请参阅reference docs。
$orders = mysql_real_escape_string($orders);
$query = "SELECT * FROM customers WHERE customer_name = '$orders'";
将PDO与准备好的陈述一起使用。请参阅reference docs。
$query = $pdo->prepare('SELECT * FROM customers WHERE customer_name= :orders');
$query ->execute(array('orders' => $orders));
mysqli
with prepared statements。