PHP + MySQL + PDO 中的单引号转义

Single quote escaping in PHP + MySQL + PDO

我需要有关转义单引号的帮助。我在那里检查了很多 material,但我还不够精明,无法使用它。我的 PHP 代码如下。

<?php
    $db = new PDO("mysql:host=localhost;dbname=tool", 'root', 'password');
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT);
    $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);
    $rne = file_get_contents('/path/export.txt');

    $sql = "
        LOAD DATA INFILE '/path/UCBTexport.txt'INTO TABLE tool_tbl FIELDS TERMINATED BY ',' ( Bug_ID, Date_Tool_Ran, Headline, Submitted_By, Create_Modify_Date, Severity, Status );
        UPDATE `tool_tbl` SET `Release_Notes`= '$rne' WHERE id = LAST_INSERT_ID()
        ";

    $stmt = $db->prepare($sql);
    $stmt->execute();
    $i = 0;

    do {
        $i++;
    }
    while ($stmt->nextRowset())
        ;

    $error = $stmt->errorInfo();
    if ($error[0] != "00000")
    {
        echo "Query $i failed: " . $error[2];
    }
    else
    {
        echo "inserted Successfully";
    }
    die();

我的两个查询都有偶尔包含所有类型特殊字符的文本。如何使用此代码中的 mysql_real_escape_string 转义特殊字符?

试试这个可能对你有帮助

<?php
        $db = new PDO("mysql:host=localhost;dbname=tool", 'root', 'password');
        $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT);
        $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);
        $rne = file_get_contents('/path/export.txt');

            $sql = <<<SQL
    LOAD DATA INFILE '/path/UCBTexport.txt' INTO TABLE tool_tbl FIELDS TERMINATED BY ',' ( Bug_ID, Date_Tool_Ran, Headline, Submitted_By, Create_Modify_Date, Severity, Status );
    UPDATE `tool_tbl` SET `Release_Notes`= '$rne' WHERE id = LAST_INSERT_ID()
    SQL;

        $stmt = $db->prepare($sql);
        $stmt->execute();
        $i = 0;

           do {
              $i++;
              } 
           while ($stmt->nextRowset());


         $error = $stmt->errorInfo();
          if ($error[0] != "00000")

              { 
            echo "Query $i failed: " . $error[2];
              }
            else
              {
            echo "inserted Successfully";
              }
      die();

尝试用这个替换。

$sql = "LOAD DATA INFILE '/path/UCBTexport.txt' INTO TABLE `tool_tbl` FIELDS TERMINATED BY ','( Bug_ID, Date_Tool_Ran, Headline, Submitted_By, Create_Modify_Date, Severity, Status ) ;
SET @last_id = LAST_INSERT_ID();
UPDATE `tool_tbl` SET `Release_Notes`= $rne WHERE id=@last_id";
<?php
    $db = new PDO("mysql:host=localhost;dbname="tool", 'root', 'password');
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT);
    $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);

    $rne = file_get_contents('/path/export.txt');
    $rne = mysql_real_escape_string($rne); >>>> this is the addition that fixed 

       $sql = "
            LOAD DATA INFILE '/path/UCBTexport.txt'INTO TABLE tool_tbl FIELDS TERMINATED BY ',' ( Bug_ID, Date_Tool_Ran, Headline, Subm
            itted_By, Create_Modify_Date, Severity, Status );
            UPDATE `tool_tbl` SET `Release_Notes`= '$rne' WHERE id = LAST_INSERT_ID()
              ";

$stmt = $db->prepare($sql);
$stmt->execute();
$i = 0;

这是一个老问题,但我写了这个答案,因为接受的答案使用 mysql_real_escape_string() 已弃用。

Can use $stmt->bindParam(":parameter_name", $php_variable, PDO::PARAM_STR); and don't need to escape single quote

    $db = new PDO("mysql:host=localhost;dbname=tool", 'root', 'password');
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT);
    $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);
    $rne = file_get_contents('/path/export.txt');

       $sql = "
        LOAD DATA INFILE '/path/UCBTexport.txt'INTO TABLE tool_tbl FIELDS TERMINATED BY ',' ( Bug_ID, Date_Tool_Ran, Headline, Subm
itted_By, Create_Modify_Date, Severity, Status );
UPDATE `tool_tbl` SET `Release_Notes`= :rne WHERE id = LAST_INSERT_ID()
         ";

    $stmt = $db->prepare($sql);
    $stmt->bindParam(":rne", $rne, PDO::PARAM_STR);
    $stmt->execute();