query problem with a text with a single quote_问答_开发者

query problem with a text with a single quote

开发者 https://www.devze.com 2023-03-31 07:23 出处：网络

I need to do this query: SELECT * FROM brands WHERE brand =`l\'artigiano italiano` Should be quite simple but it\'s not working.

相关专题：drupal php

I need to do this query:

SELECT * FROM brands WHERE brand =`l'artigiano italiano`

Should be quite simple but it's not working. Like all my queries I try to execute it with the following code

$myDB = Database::getConnection($target='....',$key='....');

$sqlLogo = 'SELECT * FROM brands WHERE brand =`' . $brand->merk . '`';
$resultLogo = $myDB->query($sqlLogo);

When I open the page I get the following error

PDOException: SQLSTATE[42S22]: Column not found: 1054 Unknown column 'l'artigiano italiano' in 'where clause': SELECT * FROM brands WHERE brand =`l'artigiano italiano`; Array ( ) in merken_admin_settings() (line 23 of /home/medias开发者_高级运维pe/domains/mediaspex.be/public_html/juniorsteps/sites/all/modules/merken/merken.admin.inc)

I tried to use

WHERE brand = "..."

and

WHERE brand = `...`

but both did not work.

Any suggestions about the possible cause? I'm staring blind at the code at the moment.

You should escape anything you embed in a SQL query. As you are using PDO, you should do it with $myDB->quote():

$sqlLogo = "SELECT * FROM brands WHERE brand = '" . $myDB->quote($brand->merk) . "'";

You can use both double quotes (") and single quotes (') for enclosing your values, but not back quotes (`).

It is even better to use prepared statements:

$stmt = $myDB->prepare("SELECT * FROM brands WHERE brand = :brand");
$resultLogo = $stmt->execute(array('brand' => $brand->merk));

This way you don't have to take care of escaping.

Have you tried escaping the single quote?

"l\'artigiano italiano"

MySQL String Syntax

While all of the other answers are valid for regular mysql_* functions, if you are using PDO, you should be taking advantage of prepared statements. They were made for just this purpose.

Just escaping the single quote can do the trick but try PDO prepared statements, they help you with security too (as already discussed here)
You can do it like this:

$brand = "l'artigiano italiano";
$stmt = $db->prepare('SELECT * FROM brands WHERE brand = :brand');
$stmt->execute( array(':brand' => $brand) );

It looks like you're using Drupal. If that's so (I assume so from the way you get the database connection and obviously the tag), you should execute your query like this:

$result = db_query('SELECT * FROM {brands} WHERE brand = :brand', array(':brand' => $brand));

That's all. Note:

Use of db_query(), which will call Database::getConnection() internally. You only need to call Database::getConnection() yourself if you want to connect to another than the default connection.
Use uf curly braces ({}) for tables managed by Drupal (which means, tables installed through hook_schema() of your module). If this is an external table not related to the Drupal installation, you won't need those. The curly braces ensure that the proper table name prefix is inserted in case the drupal installation was configured with one (which is for example the case when running tests!)
You can use :placeholder syntax for the dynamic values and directly specify the value in the second argument of db_query() (or $myMD->query(), that's the same interface).