堆栈内存溢出
  简体   繁体   English

mysqli_real_escape_string创建SQL语法错误

[英]mysqli_real_escape_string creating SQL syntax error

 原文  2014-04-05 19:56:28       php/ mysql/ sql/ syntax

问题描述

I am working on a script to update a database when i need to change information on a page, if there are NO special characters in the text (example ' or " ) the script works fine, if there are any special characters I get an error such as this one 我需要在页面上更改信息时正在使用脚本来更新数据库,如果文本中没有特殊字符(例如'或“),则脚本可以正常工作,如果存在任何特殊字符,我会报错这样的

You have an error in your SQL syntax; 您的SQL语法有误; check the manual that corresponds to your MySQL server version for the right syntax to use near 'angry' song, the music will incite surrounding characters to become more aggressive. 查看与您的MySQL服务器版本相对应的手册以获取正确的语法,以在“愤怒”的歌曲旁使用,音乐会激发周围的角色变得更具攻击性。 As' at line 1 在第1行为

I am hoping for help to see what I may have missed in this script, thanks in advance for your time. 我希望能得到帮助,以了解该脚本中可能缺少的内容,在此先感谢您的宝贵时间。

Initial Page for selecting data to update 初始页面,用于选择要更新的数据 

<?php
    include('../connect/connect-mysql.php');

$sql="SELECT * FROM table Order by Appeared asc";
$result=mysql_query($sql);
?>
<h4>Update/Edit Tool</h4>

<table width="400" border="0" cellspacing="1" cellpadding="0">
<tr>
<td>
<table width="400" border="1" cellspacing="0" cellpadding="3">
<tr>
<th align="center"><font face="Verdana" size="1">Update</font></th>
<th align="center"><font face="Verdana" size="1">Power</font></th>
<th align="center"><font face="Verdana" size="1">Power2</font></th>
<th align="center"><font face="Verdana" size="1">Power3</font></th>
<th align="center"><font face="Verdana" size="1">Power4</font></th>
</tr>

<?php
while($rows=mysql_fetch_array($result)){
?>

<tr>
<td align="center"><font face="Verdana" size="1"><a href="p_update.php?id=<? echo $rows['IDNumber']; ?>">update</a></font></td>
<td><font face="Verdana" size="1"><div style="height:20px; width:160px; overflow:hidden"><? echo $rows['Power']; ?></div></font></td>
<td><font face="Verdana" size="1"><div style="height:20px; width:160px; overflow:hidden"><? echo $rows['Power2']; ?></div></font></td>
<td><font face="Verdana" size="1"><div style="height:20px; width:160px; overflow:hidden"><? echo $rows['Power3']; ?></div></font></td>
<td><font face="Verdana" size="1"><div style="height:20px; width:160px; overflow:hidden"><? echo $rows['Power4']; ?></div></font></td>
</tr>

<?php
}
?>

</table>

Editing page ( p_update.php ) : 编辑页面( p_update.php ): 

$id=$_GET['id'];

$sql="SELECT * FROM table WHERE IDNumber='$id'";
$result=mysql_query($sql) or die(mysql_error());

$rows=mysql_fetch_array($result);
?>
<body>
<h1>Update Data</h1>
<form name="form1" method="post" action="p_update_ac.php">
<fieldset>
    <legend>Update Data</legend>
    <table border="1" width="100%" style="border-collapse: collapse">
    <tr><th><font face="Verdana" size="1"><label>Database ID: </label></font></th><td><font size="1" face="Verdana"><input name="IDNumber" type="text" id="IDNumber" value="<?php echo $rows['IDNumber']; ?>" size="10"><b>DO NOT CHANGE THIS FIELD</b></font></td></tr>
    <tr><th><font face="Verdana" size="1"><label>Power Category: </label></font></th><td><font size="1" face="Verdana"><input name="Powcategory" type="text" id="Powcategory" value="<?php echo $rows['Powcategory']; ?>" size="50"></font></td></tr>
    <tr><th><font face="Verdana" size="1"><label>Power: </label></font></th><td><font size="1" face="Verdana"><input name="Power" type="text" id="Power" value="<?php echo $rows['Power']; ?>" size="150"></font></td></tr>
    <tr><th><font face="Verdana" size="1"><label>Power 2: </label></font></th><td><font size="1" face="Verdana"><input name="Power2" type="text" id="Power2" value="<?php echo $rows['Power2']; ?>" size="150"></font></td></tr>
    <tr><th><font face="Verdana" size="1"><label>Power 3: </label></font></th><td><font size="1" face="Verdana"><input name="Power3" type="text" id="Power3" value="<?php echo $rows['Power3']; ?>" size="150"></font></td></tr>
    <tr><th><font face="Verdana" size="1"><label>Power 4: </label></font></th><td><font size="1" face="Verdana"><input name="Power4" type="text" id="Power4" value="<?php echo $rows['Power4']; ?>" size="150"></font></td></tr>
    </table>
</fieldset>
<br>
<input name="id" type="hidden" id="id" value="<?php echo $rows['id']; ?>"><input type="submit" name="Submit" value="Update Record">
</form>
<?php
// close connection
mysql_close();
?>

the following code is p_update_ac.php which is called on by the p_update.php script in order to run. 下面的代码是p_update_ac.php ,它由p_update.php脚本调用以便运行。 

<?php
include('../connect/connect-mysql.php');

$IDNumber = mysqli_real_escape_string($dbcon, $_POST['IDNumber']);
$Power = mysqli_real_escape_string($dbcon, $_POST['Power']);
$Power2 = mysqli_real_escape_string($dbcon, $_POST['Power2']);
$Power3 = mysqli_real_escape_string($dbcon, $_POST['Power3']);
$Power4 = mysqli_real_escape_string($dbcon, $_POST['Power4']);

$sql="UPDATE table SET Power='$Power',Power2='$Power2',Power3='$Power3',Power4='$Power4' WHERE IDNumber='$IDNumber'";
$result=mysql_query($sql) or die(mysql_error());

if($result){
echo "Successful";
echo "<p>";
echo "<a href='p_list_records.php'>View result</a>";

}

else {
echo "ERROR";
}

?>

2 个解决方案

解决方案1
 1 已采纳  2014-04-05 21:55:47

Your UPDATE code won't work because you are mixing two different APIs, and they do not mix together. 您的UPDATE代码无效,因为您要混合使用两种不同的API,并且它们不能混合在一起。

By APIs I mean mysqli_* and mysql_* functions. API是指mysqli_*mysql_*函数。

I'm under the impression that your DB connection is in fact mysql_* because you wouldn't have gotten an error message otherwise, so I'm including two versions below, just in case (See footnotes): 我的印象是您的数据库连接实际上是mysql_*因为否则您将不会收到错误消息,因此我在下面包括了两个版本,以防万一(请参阅脚注):

Sidenote: You should be using mysqli_* functions with prepared statements or PDO. 旁注:您应该将mysqli_*函数与已准备好的语句或PDO一起使用。

Use the following if mysql 如果使用mysql请使用以下命令 

<?php
include('../connect/connect-mysql.php');

$IDNumber = mysql_real_escape_string($_POST['IDNumber']);
$Power = mysql_real_escape_string($_POST['Power']);
$Power2 = mysql_real_escape_string(_POST['Power2']);
$Power3 = mysql_real_escape_string($_POST['Power3']);
$Power4 = mysql_real_escape_string($_POST['Power4']);

$sql="UPDATE table SET Power='$Power',Power2='$Power2',Power3='$Power3',Power4='$Power4' WHERE IDNumber='$IDNumber'";
$result=mysql_query($sql,$dbcon) or die(mysql_error());

if($result){
echo "Successful";
echo "<p>";
echo "<a href='p_list_records.php'>View result</a>";

}

else {
echo "ERROR";
}

?>

Use the following if mysqli 如果使用mysqli请使用以下命令 

<?php
include('../connect/connect-mysql.php');

$IDNumber = mysqli_real_escape_string($dbcon, $_POST['IDNumber']);
$Power = mysqli_real_escape_string($dbcon, $_POST['Power']);
$Power2 = mysqli_real_escape_string($dbcon, $_POST['Power2']);
$Power3 = mysqli_real_escape_string($dbcon, $_POST['Power3']);
$Power4 = mysqli_real_escape_string($dbcon, $_POST['Power4']);

$sql="UPDATE table SET Power='$Power',Power2='$Power2',Power3='$Power3',Power4='$Power4' WHERE IDNumber='$IDNumber'";
$result=mysqli_query($dbcon,$sql) or die(mysqli_error());

if($result){
echo "Successful";
echo "<p>";
echo "<a href='p_list_records.php'>View result</a>";

}

else {
echo "ERROR";
}

?>

To switch to mysqli_* connection, replace the xxx with your DB credentials. 要切换到mysqli_*连接,请用您的数据库凭据替换xxx 

DEFINE ('DB_USER', 'xxx');
DEFINE ('DB_PASSWORD', 'xxx');
DEFINE ('DB_HOST', 'xxx');
DEFINE ('DB_NAME', 'xxx');

$dbcon = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) 
OR die("could not connect");

Footnotes: 脚注:

mysql_* functions deprecation notice: mysql_*函数弃用通知:

http://www.php.net/manual/en/intro.mysql.php http://www.php.net/manual/en/intro.mysql.php

This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. 自PHP 5.5.0起不推荐使用该扩展,不建议编写新代码,因为将来会删除该扩展。 Instead, either the mysqli or PDO_MySQL extension should be used. 相反,应使用mysqliPDO_MySQL扩展名。 See also the MySQL API Overview for further help while choosing a MySQL API. 另请参见MySQL API概述,以获取选择MySQL API时的更多帮助。

These functions allow you to access MySQL database servers. 这些功能使您可以访问MySQL数据库服务器。 More information about MySQL can be found at » http://www.mysql.com/ . 有关MySQL的更多信息,请参见» http://www.mysql.com/

Documentation for MySQL can be found at » http://dev.mysql.com/doc/ . 可以在» http://dev.mysql.com/doc/中找到MySQL的文档。

解决方案2
 0  2014-04-05 21:32:30

If you use the original MySQL-API of PHP you should use mysql_real_escape_string() instead. 如果使用PHP的原始MySQL-API,则应改用mysql_real_escape_string()。 

$IDNumber = mysqli_real_escape_string($dbcon, $_POST['IDNumber']);

// ...

$result=mysql_query($sql) or die(mysql_error());

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 mysqli查询问题。 mysqli_real_escape_string错误 - mysqli query issue. mysqli_real_escape_string error mysqli_real_escape_string mysqli链接? - mysqli_real_escape_string mysqli link? mySQLI-mysqli_real_escape_string问题 - mySQLI - problem with mysqli_real_escape_string mysqli_real_escape_string() 期望参数 2 是 WordPress 中的字符串错误 - mysqli_real_escape_string() expects parameter 2 to be string error in WordPress mysqli_real_escape_string可捕获的致命错误错误 - mysqli_real_escape_string Catchable fatal error error 满足mysqli_real_escape_string参数错误的正确结构 - Proper Structure to Satisfy mysqli_real_escape_string parameters error PHP 错误 mysqli_real_escape_string() ... 在注册表单上 - PHP Error mysqli_real_escape_string() … on Registration form 在WHERE IN子句中使用mysqli_real_escape_string时出错 - Got error on using mysqli_real_escape_string in WHERE IN clause mysqli_real_escape_string 用于 int - mysqli_real_escape_string for int PHP的:Mysqli_real_escape_string - PHP:Mysqli_real_escape_string
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM