搜索词在php中包含特殊字符时出错
搜索带有特殊字符的术语时,我遇到了一个致命的PHP错误(例如搜索词在php中包含特殊字符时出错,php,mysql,pdo,prepared-statement,special-characters,Php,Mysql,Pdo,Prepared Statement,Special Characters,搜索带有特殊字符的术语时,我遇到了一个致命的PHP错误(例如John O'Malley)。Mysql数据库字符集是utf8\U unicode\U ci dbconn.php文件 <?php $DB_host = "removed"; $DB_user = "removed"; $DB_pass = "removed"; $DB_name = "removed"; try { $DBcon = new PDO("mysql:host={$DB_host};d
John O'Malley<?php
$DB_host = "removed";
$DB_user = "removed";
$DB_pass = "removed";
$DB_name = "removed";
try
{
$DBcon = new PDO("mysql:host={$DB_host};dbname={$DB_name};charset=utf8",$DB_user,$DB_pass);
$DBcon->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e)
{
echo "";
}
你已经成功了一半。准备好的语句将允许您执行此查询,但您必须正确使用它们。要正确使用它们,必须参数化查询。所有值都应该是查询中的占位符,然后对它们进行绑定
尝试:
使用pdo绑定参数这就是您使用预处理语句的原因。恶意用户可以使用特殊字符操纵数据库中的数据(SQL注入攻击)。阅读PDO准备的语句。使用参数化查询避免错误并防止错误。
<?php
$stmt = $DBcon->prepare("SELECT * FROM player WHERE player_name LIKE '%$Search%' LIMIT 25");
$stmt->execute();
?>
$stmt = $DBcon->prepare("SELECT * FROM player WHERE player_name LIKE concat('%', ?, '%') LIMIT 25");
$stmt->execute(array($Search));