堆栈内存溢出
  简体   繁体   English

MySQL正常工作但显示语法错误

[英]Mysql working correctly but show syntax error

 原文  2014-05-21 16:47:05       php/ mysql/ sql

问题描述

I have a non buggy mysql code (it's working and input correct data into every field) 我有一个没有错误的mysql代码(它正在工作并将正确的数据输入到每个字段中) 

$sql = "UPDATE bloggers SET img_name = '" . $img_name . "', name = '" . $blogger_name . "', blog_url = '" . $blog_url . "', google_plus = '" . $google_plus . "' WHERE blogger_id = '" . $blogger_id . "'";

        $res = mysql_query($sql);
        if($res) 
        {return 99;}
        else
        {return 0;}

where $res will return 99. $ res将返回99。

However, it's giving me this error. 但是,这给了我这个错误。

Invalid query:You have an error in your SQL syntax; 查询无效:您的SQL语法有误; check the manual that corresponds to your MySQL server version for the right syntax to use near '1''' at line 1 检查与您的MySQL服务器版本相对应的手册,以在第1行的'1'''附近使用正确的语法

How do I go about solving this problem? 我该如何解决这个问题?

Let me know! 让我知道! Thanks! 谢谢!

Regards 问候

2 个解决方案

解决方案1
 1  2014-05-21 16:53:46

I think there is a special character in your parameters. 我认为您的参数中有一个特殊字符。 So sanitize your params by mysql_real_escape_string . 因此,通过mysql_real_escape_string清理您的参数。 It will prevent sql injection attacks as well. 它还将防止sql注入攻击。 

$img_name = mysql_real_escape_string($img_name);
$blogger_name = mysql_real_escape_string($blogger_name);
$blog_url = mysql_real_escape_string($blog_url);
$google_plus = mysql_real_escape_string($google_plus);

解决方案2
 1  2014-05-21 16:57:19

Well to answer your question, you are performing SQL Injection on your own code since on of your variables contain single quote or slash in them. 好回答您的问题,您正在对自己的代码执行SQL Injection ,因为您的变量中包含单引号或斜杠。

You need to either escape them using mysql_real_escape_string BUT I would not do that since mysql_* functions have been deprecated. 您需要使用mysql_real_escape_string对其进行转义,但由于mysql_ *函数已被弃用,所以我不会这样做。

Use PDO prepared statements or MySQLi instead where i stands for improved. 使用PDO准备好的语句或MySQLi代替代表改进的地方。

Using PDO it could be as simple as: 使用PDO可能很简单: 

 $stmt = $pdoInstance->prepare("
            UPDATE bloggers 
            SET img_name = :imgname, name = :blogname, 
                blog_url = :blogurl, google_plus = :googleplus
            WHERE blogger_id = :blogid
         ");

  //bind parameters
  $stmt->bindParam(':imgname', $img_name, PDO::PARAM_STR);
  $stmt->bindParam(':blogname', $blogger_name, PDO::PARAM_STR);
  $stmt->bindParam(':blogurl', $blog_url, PDO::PARAM_STR);
  $stmt->bindParam(':googleplus', $google_plus, PDO::PARAM_STR);
  $stmt->bindParam(':blogid', $bloger_id, PDO::PARAM_INT);

  if ($stmt->execute()) {
     //success
  }

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 MySQL触发器不起作用,语法错误 - MySql trigger not working, syntax error 表名显示MySQL中的语法错误 - Table name show a syntax error in MySQL MySQL Query无法正常工作 - MySQL Query not working correctly mysql连接无法正常工作 - mysql join not working correctly mysql LIKE无法与OR一起正常使用 - mysql LIKE not working correctly with OR MySQL语句无法正常工作 - MySQL statement not working correctly MYSQL IN语句语法不起作用 - MYSQL IN Statement syntax not working MySQL语法错误错误 - MySQL Syntax Error Error 调试MYSQL语法错误 - Debugging a MYSQL syntax error MySQL的语法错误 - mySQL error on syntax
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM