[英]MySQL Select…Where Clause Returns Syntax Error
I've been racking my brain with this problem, and after searching Google and Stack Overflow a hundred times each I've decided to just ask about it outright. 我一直在为这个问题绞尽脑汁,在搜索Google和Stack Overflow一百次之后,我决定直接提出这个问题。
I'm trying to make a page that uses PHP and MySQL to search a database as the user types in a keyword. 我正在尝试制作一个页面,该页面使用PHP和MySQL在用户键入关键字时搜索数据库。 I've used several tutorials on the subject, and they all appeared upfront and simple, but have not given any prediction for the trouble I've been having.
我已经使用了几个有关该主题的教程,它们都看上去很简单,但是并没有给出我遇到的麻烦的任何预测。
When I use "SELECT * FROM charlist", it returns all rows, as it should. 当我使用“ SELECT * FROM charlist”时,它会返回所有行。 But when I use "SELECT * FROM charlist WHERE Character ='" .
但是当我使用“ SELECT * FROM charlist WHERE Character ='”时。 $character .
$ character。 "'", I get the following error:
“'”,出现以下错误:
Error: You have an error in your SQL syntax;
错误:您的SQL语法有错误; check the manual that corresponds to your MySQL server version for the right syntax to use near '= 'X'' at line 1
检查与您的MySQL服务器版本相对应的手册,以在第1行的'='X'附近使用正确的语法
X is whatever the user typed in, and blank if nothing is typed in. X是用户输入的内容,如果没有输入,则为空白。
What am I doing wrong? 我究竟做错了什么?
Here is the full code: 这是完整的代码:
<?php
$con = mysqli_connect("xxxx", "xxxxxxxx", "xxxxxxx", "xxxxxxxxxx");
if (!$con)
{
die('Could not connect: ' . mysqli_error($con));
}
$character = $_POST[character];
mysqli_select_db($con, "xxxxxxxx");
$sql = "SELECT * FROM charlist WHERE Character = '" . $character . "'";
$result = mysqli_query($con,$sql);
if (!$result) {
printf("Error: %s\n", mysqli_error($con));
exit();
}
echo "<table border='1'>
<tr>
<th>Character</th>
<th>Player</th>
</tr>";
while($row = mysqli_fetch_array($result))
{
echo '<tr style="border-color:#';
echo $row[Color];
echo ';">';
echo '<td style="border-style:solid;border-width:3px;"><a href="';
echo $row[url];
echo '">';
echo $row[Character];
echo '</a></td>';
echo '<td>';
echo $row[Player];
echo'</td>';
echo '</tr>';
}
echo '</table>';
mysqli_close($con);
?>
change this line 改变这条线
$character = $_POST[character];
to 至
$character = $_POST['character'];
and you should be throught 而你应该
Try escaping $character using: 尝试使用以下命令转义$ character:
$sql = "SELECT * FROM charlist WHERE Character = '" . $ sql =“ SELECT * FROM charlist WHERE Character ='”。 mysqli_real_escape_string($character) .
mysqli_real_escape_string($ character)。 "'";
“'”;
In case there are quotes in the character name breaking the query. 如果字符名称中有引号,则会打断查询。
使用查询为
"SELECT * FROM charlist WHERE Character ='$character'"
Turning on PHP error reporting would have helped: 打开PHP错误报告将有助于:
$character = $_POST[character];
// -----------^--------^
should be: 应该:
$character = $_POST['character'];
Also, inserting a variable directly into your query is a very bad practice and makes your site vulnerable to SQL injection. 另外,直接在查询中插入变量是非常不好的做法,这会使您的站点容易受到SQL注入的攻击。 Always treat user input with care!
始终小心对待用户输入!
$sql = mysqli_real_escape_string($con, $sql);
Hope this helps! 希望这可以帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.