php - 将描述写入数据库 - UTF8 - 转义？

Question

我想写入 this XML file 的值到我的数据库。我的问题是，我每次都会收到 SQL 错误，我想添加这些描述。我已经尝试使用 preg_quote 转义特殊字符，但它不起作用...

但我不知道为什么它不起作用。此函数将值添加到我的数据库中:

function addToSQL($dom, $XMLpath, $shopID){
    $doc = simplexml_import_dom($dom);
    $items = $doc->xpath($XMLpath);
    $database = new mysqli("localhost", "censored", "censored", "censored");
    $sqlstatement = "INSERT INTO `wp_all_import_xml` (name, price, price_old, shop, url, publisher, category, platform, picture, description) VALUES \n";

    echo "(addToSQL) Transferring Data into SQL\n";

    foreach ($items as $item) {
        $node = dom_import_simplexml($item);
        $title = $node->getElementsByTagName('title')->item(0)->textContent;
        $price = $node->getElementsByTagName('price')->item(0)->textContent;
        $url = $node->getElementsByTagName('url')->item(0)->textContent;
        $price_old = 0;
        $publisher = "";
        $category = "";
        $platform = "";
        $image = "";
        $description = "";

        if($node->getElementsByTagName('price_base')->item(0)){
            $publisher = $node->getElementsByTagName('price_base')->item(0)->textContent;
        }

        if($node->getElementsByTagName('publisher')->item(0)){
            $publisher = $node->getElementsByTagName('publisher')->item(0)->textContent;
        }

        if($node->getElementsByTagName('category')->item(0)){
            $category = $node->getElementsByTagName('category')->item(0)->textContent;
        }

        if($node->getElementsByTagName('platform')->item(0)){
            $platform = $node->getElementsByTagName('platform')->item(0)->textContent;
        }

        if($node->getElementsByTagName('image')->item(0)){
            $image = $node->getElementsByTagName('image')->item(0)->textContent;
        }

        if($node->getElementsByTagName('packshot')->item(0)){
            $image = $node->getElementsByTagName('packshot')->item(0)->textContent;
        }

        if($node->getElementsByTagName('desc')->item(0)){
            $description = $node->getElementsByTagName('desc')->item(0)->textContent;
            //$description = preg_quote($description);
            //echo $description . "\n";
        }

        $sqlstatement .= "('$title', '$price', '$price_old', '$shopID', '$url', '$publisher', '$category', '$platform', '$image', '$description')," . "\n";
    }

    $sqlstatement = substr($sqlstatement, 0, -2) . ";";
    //$sqlstatement = $database->real_escape_string($sqlstatement);

    if(!(($database->query($sqlstatement))  === TRUE)){
        echo "(addToSQL) Error writing games to database!\n";
    }

    $sqlstatement = null;
    $sqlstatement = "INSERT INTO `wp_all_import_xml` (name, price, shop, url, publisher, category, platform, description) VALUES \n";

    echo "(addToSQL) finished\n";
}

此函数适用于我的所有其他 XML 文件，因为它们不包含描述。由于它们不包含描述，因此 var $descriptions 将变为 ""，因为标签 desc 不存在。该函数也适用于我想将描述添加到数据库的 XML 文件。但在我添加了这个之后:

if($node->getElementsByTagName('desc')->item(0)){
    $description = $node->getElementsByTagName('desc')->item(0)->textContent;
    //$description = preg_quote($description);
    //echo $description . "\n";
}

此 XML 文件的 SQL 查询每次都会失败。所以，应该是描述。

但是我该如何解决这个问题呢？ - 怎么了？ ——我的失败在哪里？ 我是否必须告诉 var $description 将字符串编码为 UTF-8？

我不再有任何想法了...如果有帮助，我会非常高兴!

问候并谢谢您!

Answer 1

我强烈建议您使用:

$database->real_escape_string($parameter);

用于要插入的所有参数。 它应该处理任何无效字符并保护您的数据库免受任何 SQL 注入(inject)。