Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
4.3k views
in Technique[技术] by (71.8m points)

MySQL like 查询时 字符中包含单引号问题

语句拼接:

$condition .= " OR `name` LIKE concat('%',?,'%') OR `name` LIKE concat('%',?,'%'))";

            $params[] = $matches_before[1];
            $params[] = $name_all;

字符串:M&M'S

错误:
`
DB_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's%' ) GROUP BY img_url LIMIT 1' at line 1
RAW_SQL: SELECT id, name, img_url FROM material WHERE deleted_at is null and (name LIKE '%m's%' ) GROUP BY img_url LIMIT 1

`


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

特殊符号需要转义。

在程序侧 replace 吧。

P.S. 为啥不用参数化呢?不 care SQL 注入吗?


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...