“ where子句”中的未知列“ x” [1054]
[英]Unknown column 'x' in 'where clause' [1054]
问题描述
My website is integrated with phpbb forums, and I'm trying to have one php file and one template to pull up a unique page using different rows in the database. 
我的网站与phpbb论坛集成在一起,并且我试图使用一个php文件和一个模板来使用数据库中的不同行拉出唯一页面。 My example files look like this: 我的示例文件如下所示:
php file: php文件:
<?php
include "includes/phpbb.php";
$template->set_filenames(array(
'body' => 'people.html',
));
$name = $_GET['name'];
$result = $db->sql_query("SELECT * FROM people WHERE name = $name");
while($row = $db->sql_fetchrow($result))
{
$template->assign_vars(array(
'NAME' => $row['name'],
'AGE' => $row['age'],
));
}
$site->page_footer();
?>
Here is the html template: 这是html模板:
<!-- INCLUDE overall_header.html -->
{NAME} is {AGE} years old.
<!-- INCLUDE overall_footer.html -->
I have two rows in the table. 我桌上有两行。 One is named "Walt" with the age of "51", and the other is "Jesse", with the age of "25". 一个叫“ Walt”,年龄为“ 51”,另一个叫“ Jesse”,年龄为“ 25”。 Whenever I enter a url like people.php?name=Walt, I get an error page: 每当我输入诸如people.php?name = Walt之类的网址时,都会出现错误页面:
SQL ERROR [ mysqli ]
Unknown column 'Walt' in 'where clause' [1054]
SQL 的SQL
SELECT * FROM people WHERE name = Walt
If I enter a numerical value of ANY kind, it pulls up the page fine, but no variables filled in, so the page says "is years old". 如果我输入任何类型的数值,它将很好地拉出页面,但没有填写任何变量,因此页面上显示“已有几岁”。 If I enter ?name=name, it pulls up the second row in the database table, and says "Jesse is 25 years old" (That one REALLY puzzles me right there). 如果输入?name = name,它将拉出数据库表的第二行,并说“ Jesse 25岁”(那真的使我感到困惑)。
What am I doing wrong to cause this? 我做错了什么导致这个? I obviously want to be able to enter "Walt" or "Jesse" in the url, and get the entire page with just their row of information. 我显然希望能够在URL中输入“ Walt”或“ Jesse”,并获得仅包含其信息行的整个页面。
2 个解决方案
解决方案1
1 已采纳 2013-07-20 20:10:31
Simply you need to enclose your variable in a string. 只需将变量括在字符串中即可。 So: 所以:
$result = $db->sql_query("SELECT * FROM people WHERE name = '$name'");
should do the trick. 应该可以。
Be very very very careful. 非常非常非常小心。 I think the $db object is coming from phpbb, and they would sanitize any database query before executing it. 我认为$db对象来自phpbb,他们会在执行之前清理所有数据库查询。 But blindly taking user input and querying against the database without sanitation will lead to SQL Injection and world of pain. 但是,盲目地接受用户输入并在没有卫生条件的情况下查询数据库将导致SQL注入和痛苦的世界。 See What's the best method for sanitizing user input with PHP? 请参见用PHP清理用户输入的最佳方法是什么?
解决方案2
0 2013-07-20 20:11:08
名称应用引号引起来:
$result = $db->sql_query("SELECT * FROM people WHERE name = '$name'");
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.