问题
I want to do an INSERT into a MySQL database using:
$sql = "INSERT INTO table (title1) VALUES ('$myVar')";
but the problem is $myVar can contain the single quotes (' symbols, e.g. in "idiot's"). Can somebody tell me how to handle any single quotes in the variable as a letter and not as a piece of code?
(I know there are posts about this in the forum already, but I do not really understand their solutions, so sorry for double posting)
回答1:
You might be temped to replace each single quote with two of them.
like so
$myvar = "idiot\'s";
But resist the urge and escape it instead:
<?php $var = "Hello !! idiot's";
mysql_real_escape_string($var);?>
Or even better, use PDO
回答2:
Use mysqli_real_escape_string like this:
$myVar= mysqli_real_escape_string($link,$myVar);
and then your query.
It is advisable to use PDO too!
来源:https://stackoverflow.com/questions/36967233/how-to-insert-string-with-single-quote-symbol