[英]Mysqli UPDATE SET WHERE syntax error
So I had this chunk of php code所以我有这段 php 代码
if($_POST['action']=='newComment')
{
$mysqli = new mysqli("localhost", "root", "", "nested_comment");
$new_post = $mysqli->real_escape_string($_POST['content']);
$result = $mysqli->query("SELECT @myLeft := lft FROM comment
WHERE lft = '1';
UPDATE comment SET rgt = rgt + 2 WHERE rgt > @myLeft;
UPDATE comment SET lft = lft + 2 WHERE lft >= @myLeft;
INSERT INTO comment(content, lft, rgt) VALUES('$new_post', @myLeft, @myLeft + 1);");
if($result)
echo "ok";
else
echo $mysqli->error;
}
When I run this, an error is thrown:当我运行这个时,会抛出一个错误:
You have an error in your SQL syntax;
您的 SQL 语法有错误; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UPDATE comment SET rgt = rgt + 2 WHERE rgt > @myLeft;
检查与您的 MySQL 服务器版本相对应的手册,以获取在“更新注释 SET rgt = rgt + 2 WHERE rgt > @myLeft;”附近使用的正确语法。 UPDATE comment SET' at line 3
在第 3 行更新注释 SET'
But when I put the sql query into Sequel Pro(Mac), it works well.但是当我将 sql 查询放入 Sequel Pro(Mac) 时,它运行良好。 I tried many of other posts' solution and none of them work.
我尝试了许多其他帖子的解决方案,但都没有奏效。 Is there something wrong with my syntax, or something wrong with mysql version?
我的语法有问题,还是 mysql 版本有问题? Thanks a lot.
非常感谢。
This is because you are trying to execute multiple statements in one go这是因为您试图一次执行多个语句
http://php.net/manual/en/mysqli.quickstart.multiple-statement.php http://php.net/manual/en/mysqli.quickstart.multiple-statement.php
Mysqli has a function for that Mysqli 有一个功能
mysqli_multi_query()
Please note that any SQL injections found can now be chained together.请注意,现在可以将找到的任何 SQL 注入链接在一起。 Be careful when using it
使用时要小心
Security considerations
安全考虑
The API functions mysqli_query() and mysqli_real_query() do not set a connection flag necessary for activating multi queries in the server.
API 函数 mysqli_query() 和 mysqli_real_query() 不会设置激活服务器中的多查询所需的连接标志。 An extra API call is used for multiple statements to reduce the likeliness of accidental SQL injection attacks.
对多条语句使用额外的 API 调用,以减少意外 SQL 注入攻击的可能性。 An attacker may try to add statements such as ;
攻击者可能会尝试添加诸如 ; DROP DATABASE mysql or ;
删除数据库 mysql 或 ; SELECT SLEEP(999).
选择睡眠(999)。 If the attacker succeeds in adding SQL to the statement string but mysqli_multi_query is not used, the server will not execute the second, injected and malicious SQL statement.
如果攻击者成功将 SQL 添加到语句字符串中,但未使用 mysqli_multi_query,则服务器将不会执行第二条注入的恶意 SQL 语句。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.