1

我有一张我想在其中匹配的fnamelname

我的查询是

$result = $mysqli->query('SELECT * FROM user_friend_detail WHERE userId = "'.$_SESSION["userId"].'" AND FriendFirstName = "'.mysql_real_escape_string($firstName).'" AND FriendLastName = "'.mysql_real_escape_string($lastName).'"   AND   FriendStatusCode="verified" AND friendId!='.$fid.' ')  or die($mysqli->error);

问题是如果我写Joh'nny,的名字'不匹配,我该如何解决?

4

1 回答 1

1

由于您已经在使用 mysqli,您不妨使用准备好的语句,这样您就不必担心进行正确的转义:

$stmt = $mysqli->prepare('SELECT * 
    FROM user_friend_detail 
    WHERE userId = ? AND FriendFirstName = ? AND FriendLastName = ?   
      AND   FriendStatusCode="verified" AND friendId <> ?');

$stmt->bind_param('issi', $_SESSION['userId'], $firstName, $lastName, $fid);
$stmt->execute();

也可以看看:mysqli::prepare()

更新

此外,您可能启用了魔术引号,您应该将其关闭

于 2013-12-17T20:52:03.420 回答