blocks|key|1165966|text|您可以在SQL级别进行$input的连接：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1165967|$sql=$DB->quoteInto("SELECT+*+FROM+t+WHERE+myname+LIKE+'%25'%7C%7C+?+%7C%7C'%25'",$input);|code-block|syntax|javascript|1165968|不幸的是，当您希望$input能够包含文字‘%25’或‘_’字符时，这是不可用的。要解决此问题，请指定一个显式的类转义字符并自己转义它们：|1165969|$inputlike=+'%25'.preg_replace('[%25_=]',+'=$0',+$input).'%25';
$sql=$DB->quoteInto("SELECT+*+FROM+t+WHERE+myname+LIKE+?+ESCAPE+'='",+$inputlike);|1165970|(它可以是任何字符，不一定是'=‘。当未在MySQL中指定时，这也解决了转义默认为‘\’的错误。)|1165971|不幸的是，SQL+Server还将‘[’字符视为特殊字符，以执行类似regexp的字符组。因此，如果您的数据库是SQL+Server，则必须在preg_replace中的组中包含‘[’。不幸的是，在不需要转义的其他DBMS上转义‘[’不是有效的ANSL+SQL。|1165972|entityMap^0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|Q|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|R|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|S|8|@]|9|@]|A|$]]|$1|I|3|J|5|D|7|T|8|@]|9|@]|A|$E|F]]|$1|K|3|L|5|6|7|U|8|@]|9|@]|A|$]]|$1|M|3|N|5|6|7|V|8|@]|9|@]|A|$]]|$1|O|3|-4|5|6|7|W|8|@]|9|@]|A|$]]]|P|$]]

You can do the concatenation of $input at the SQL level:

<pre><code>$sql=$DB-&gt;quoteInto("SELECT * FROM t WHERE myname LIKE '%'|| ? ||'%'",$input);
</code></pre>

Unfortunately this isn't usable when you want $input to be able to contain literal ‘%’ or ‘_’ characters. To get round this, specify an explicit LIKE-ESCAPE character and escape them yourself:

<pre><code>$inputlike= '%'.preg_replace('[%_=]', '=$0', $input).'%';
$sql=$DB-&gt;quoteInto("SELECT * FROM t WHERE myname LIKE ? ESCAPE '='", $inputlike);
</code></pre>

(It can be any character, not necessarily '='. This also works around a bug where ESCAPE defaults to ‘\’ when not specified in MySQL.)

Unfortunately SQL Server also takes the ‘[’ character as special, to do a regexp-like character group. So if your DB is SQL Server you have to include ‘[’ in the group in preg_replace. Unfortunately it is not valid ANSL SQL to escape ‘[’ on other DBMSs where it doesn't need to be escaped.

blocks|key|598054|text|您可以只使用zf对字符串addcslashes($value，“\000\n\r\‘\”\032“)使用的函数；该函数将以与zf使用的相同方式替换字符串，或者您可以(在mysql的情况下)使用mysql_real_escape_string。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|598055|无论哪种方式，您都不会使用db引用函数之一|598056|我确实想知道db类中是否有一个方法可以做到这一点，但我不知道应该有一个方法。|598057|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|H|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|I|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|J|8|@]|9|@]|A|$]]|$1|F|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|G|$]]

you could just use the function that zf uses on the string which is addcslashes($value, "\000\n\r\'\"\032"); that would replace the string in the same way that zf uses or you could (in the case of mysql) use mysql_real_escape_string.

either way you wouldn't use one of the db quote functions

i do wonder if there's a method in the db class to do this but i don't know of one there should be though.

blocks|key|1166000|text|最后一个选项对我来说效果很好，我没有经历过转义'%25‘的情况。所以$db->quote('%25'.$_GET['query'].'%25')输出%25queryvalue%25|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|1166001|entityMap^0|W|Y|1W|C|0^^$0|@$1|2|3|4|5|6|7|H|8|@$9|I|A|J|B|C]|$9|K|A|L|B|C]]|D|@]|E|$]]|$1|F|3|-4|5|6|7|M|8|@]|D|@]|E|$]]]|G|$]]

The last option is works out well for me i've not experienced it escaping '%'. So <code>$db-&gt;quote('%'.$_GET['query'].'%')</code> outputs <code>%queryvalue%</code>

blocks|key|1159250|text|这很简单：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1159251|$sql=$DB->quoteInto("SELECT+*
+++++++++++++++++++++FROM+t
+++++++++++++++++++++WHERE+myname+LIKE+?",'%25'+.+$input+.+'%25');

//Will+output:+SELECT+FROM+t+WHERE+myname+LIKE+'%25inputtedvalue%25'


$sql=$DB->quoteInto("SELECT+*
+++++++++++++++++++++FROM+t
+++++++++++++++++++++WHERE+myname+LIKE+?",'%25'+.+$input);

//Will+output:+SELECT+FROM+t+WHERE+myname+LIKE+'%25inputtedvalue'


$sql=$DB->quoteInto("SELECT+*
+++++++++++++++++++++FROM+t
+++++++++++++++++++++WHERE+myname+LIKE+?",+$input+.+'%25');

//Will+output:+SELECT+FROM+t+WHERE+myname+LIKE+'inputtedvalue%25'


$sql=$DB->quoteInto("SELECT+*
+++++++++++++++++++++FROM+t
+++++++++++++++++++++WHERE+myname+LIKE+?",+$input);

//Will+output:+SELECT+FROM+t+WHERE+myname+LIKE+'inputtedvalue'|code-block|syntax|javascript|1159252|问题是什么？|1159253|:)|1159254|entityMap^0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|M|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|N|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|O|8|@]|9|@]|A|$]]|$1|I|3|J|5|6|7|P|8|@]|9|@]|A|$]]|$1|K|3|-4|5|6|7|Q|8|@]|9|@]|A|$]]]|L|$]]

It is very simple:

<pre><code>$sql=$DB-&gt;quoteInto("SELECT *
 FROM t
 WHERE myname LIKE ?",'%' . $input . '%');

//Will output: SELECT FROM t WHERE myname LIKE '%inputtedvalue%'


$sql=$DB-&gt;quoteInto("SELECT *
 FROM t
 WHERE myname LIKE ?",'%' . $input);

//Will output: SELECT FROM t WHERE myname LIKE '%inputtedvalue'


$sql=$DB-&gt;quoteInto("SELECT *
 FROM t
 WHERE myname LIKE ?", $input . '%');

//Will output: SELECT FROM t WHERE myname LIKE 'inputtedvalue%'


$sql=$DB-&gt;quoteInto("SELECT *
 FROM t
 WHERE myname LIKE ?", $input);

//Will output: SELECT FROM t WHERE myname LIKE 'inputtedvalue'
</code></pre>

What is the prolem?

:)

blocks|key|3819578|text|问题是，我们希望像特殊字符那样手动替换它们会有点脏，但如果没有解决方案……|type|unstyled|depth|inlineStyleRanges|entityRanges|data|3819579|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

The problem is, we'd like to escape LIKE special characters
Manually replacing them would be a bit dirty, but if there's no solution...

blocks|key|598094|text|它更简单：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|598095|$table->select()->where("myname+LIKE+?",+'%25'.$input.'%25');|code-block|syntax|javascript|598096|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

It is more simple:

<pre><code>$table-&gt;select()-&gt;where("myname LIKE ?", '%'.$input.'%');
</code></pre>

blocks|key|598105|text|解决方案非常简单。Zend_Db甚至有一个表达式类可以帮助你解决这个问题。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|598106|$select+=+$this->select()
->where('value+LIKE("?")',+new+Zend_Db_Expr('%25'+.+$value+.+'%25'))

$this->fetchAll(+$select+);|code-block|syntax|javascript|598107|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

The solution is really simple. Zend_Db has een Expression class that helps you work arround it.

<pre><code>$select = $this-&gt;select()
-&gt;where('value LIKE("?")', new Zend_Db_Expr('%' . $value . '%'))

$this-&gt;fetchAll( $select );
</code></pre>

I have the following sql (a simplification of the real problem):

<pre><code>SELECT *
FROM t
WHERE myname LIKE '%{$input}%';
</code></pre>

How do I escape the $input? 
I can't use the quoteInto (unless I miss something). 
As

<pre><code>$sql=$DB-&gt;quoteInto("SELECT *
 FROM t
 WHERE myname LIKE '%?%'",$input);
</code></pre>

Will give me 

<pre><code>SELECT *
FROM t
WHERE myname LIKE '%'my input'%';
</code></pre>

and

<pre><code>$sql=$DB-&gt;quoteInto("SELECT *
 FROM t
 WHERE myname LIKE ?",'%'.$input.'%');
</code></pre>

Will give me something on the lines:

<pre><code>SELECT *
FROM t
WHERE myname LIKE '\%my input\%';
</code></pre>

How can I escape complex sql in Zend Framework?

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

我有以下sql语句(对实际问题的简化)：SELECT *FROM tWHERE myname LIKE '%{$input}%';我如何逃脱$input？我不能使用quoteInto (除非我遗漏了什么)。作为$sql=$DB->quoteInto("SELECT *                     FROM ...

问如何在Zend Framework中转义复杂的sql？
EN

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何在Zend Framework中转义复杂的sql？EN