無效的查詢：您的SQL語法有錯誤;特殊字符

我做PHP和編寫一些代碼，同時將數據插入到不同的表。我寫了一個foreach循環和我的代碼的一部分如下：無效的查詢：您的SQL語法有錯誤;特殊字符

while ($datarow = dbgetrow($dataresult)) { 
        if ($dotcount > $datanumrows) { 
          showarchivestatus(" .", true); 
          $dotcount = 1; 
        } 
        $sqlvalues = ""; 
        foreach($lu_cols as $lu_col) { 
          if ($datarow[$lu_col] == "") { 
           $sqlvalues = $sqlvalues.", NULL "; 
          } else { 
            $sqlvalues = $sqlvalues.", \"".makesafe($datarow[$lu_col])."\""; 
          } 
        } 
        $sqlinsert = "INSERT INTO ".$lu_table." VALUES(".substr($sqlvalues,2).")"; 
          $archivedb = dbconnect($a_host, $a_dbname, $a_port, $a_user, $a_password); 
        dbrunquery($sqlinsert, $archivedb); 
        $dotcount++; 
      }

下面是函數makesafe：

function makesafe($text) 
{ 
    $instring = strpos($text, "'"); 
    while ($instring >= 0) 
    { 
     if ($instring === false) 
      break; 

     if (substr($text, $instring-1, 1) != "\\") 
     { 
       $text = substr($text, 0, $instring)."\\".substr($text, $instring, strlen($text)-$instring); 
      } 
     $instring = strpos($text, "'", $instring + 1); 
    } 

    $instring = strpos($text, '"'); 
    while ($instring >= 0) 
    { 
    if ($instring === false) 
     break; 

    if (substr($text, $instring-1, 1) != "\\") 
    { 
    $text = substr($text, 0, $instring)."\\".substr($text, $instring, strlen($text)-$instring); 
    } 
    $instring = strpos($text, '"', $instring + 1); 
    } 

return $text; 
}

，但我得到了錯誤：

Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"support.microsoft.com/default.aspx?scid=kb\")' at line 1 SQLStatement=INSERT INTO reference VALUES("5441461", "4", "support.microsoft.com/default.aspx?scid=kb\")

我知道問題是特殊字符\，但我仍然想要用這個特殊字符插入數據。我怎樣才能改變它併成功插入數據？許多人都很欣賞任何答案。謝謝。

來源

2016-02-26 ccy

使用ヶ輛 – devpro

更多的代碼： $ sqlvalues = 「」; foreach（$ lu_cols as $ lu_col）{ if（$ datarow [$ lu_col] ==「」）{ $ sqlvalues = $ sqlvalues。「，NULL」; } else { $ sqlvalues = $ sqlvalues。「，\」「。makesafe（$ datarow [$ lu_col]）。」\「」; } } – ccy

將此問題添加到問題 – devpro

您需要在將字符串放入數據庫之前將其轉義。

這裏是如何做到這一點的MySQLi的

<?php 
$con=mysqli_connect("localhost","my_user","my_password","my_db"); 

// Check connection 
if (mysqli_connect_errno()) { 
    echo "Failed to connect to MySQL: " . mysqli_connect_error(); 
} 

// escape variables for security 
$firstname = mysqli_real_escape_string($con, $_POST['firstname']); 
$lastname = mysqli_real_escape_string($con, $_POST['lastname']); 
$age = mysqli_real_escape_string($con, $_POST['age']); 

$sql="INSERT INTO Persons (FirstName, LastName, Age) 
VALUES ('$firstname', '$lastname', '$age')"; 

if (!mysqli_query($con,$sql)) { 
    die('Error: ' . mysqli_error($con)); 
} 
echo "1 record added"; 

    mysqli_close($con); 
?>

一個基本的例子這裏是PDO的例子：

<?php 
$conn = new PDO('sqlite:/home/lynn/music.sql3'); 

/* Dangerous string */ 
$string = 'Naughty \' string'; 
print "Unquoted string: $string\n"; 
print "Quoted string:" . $conn->quote($string) . "\n"; 
?>

你可能要考慮使用一個事先準備好的聲明。有幾個好處，這包括：