[英]UPDATE Query in PHP/MySQL Failing with Error Code 1064, SQLState 42000
When building my app, I made the create query with no trouble. 在构建我的应用程序时,我毫不费力地进行了创建查询。 However, when I copied my PHP from the create file to the update file, I've been getting this error: 但是,当我将PHP从创建文件复制到更新文件时,出现了以下错误:
UPDATE people SET firstname = 'First', lastname = 'Last', email = 'test@mail.com', phonenumber = 1234567890 WHERE id = 1' UPDATE people SET firstname ='First',lastname ='Last',email ='test@mail.com',电话号码= 1234567890 WHERE id = 1'
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; SQLSTATE [42000]:语法错误或访问冲突:1064 SQL语法有错误; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1 检查与您的MariaDB服务器版本相对应的手册以获取在第1行的'''附近使用的正确语法
Usually, when I get this error, the error gives me an accurate place to fix up. 通常,当我收到此错误时,该错误为我提供了一个正确的修复位置。 Can anyone help me find this error? 谁能帮我找到这个错误?
update.sql: update.sql:
if (isset($_POST['submit'])) {
require "../resources/config.php";
require "../resources/common.php";
try {
$connection = new PDO($dsn, $username, $password, $options);
$id = $_GET['id'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$phonenumber = $_POST['phonenumber'];
$updated_number = array($firstname, $lastname, $email, $phonenumber);
$sql = sprintf(
"UPDATE %s SET firstname = '$firstname', lastname = '$lastname', email = '$email', phonenumber = $phonenumber WHERE id = %s",
"people",
$id
);
$statement = $connection->prepare($sql);
$statement->execute($updated_number);
header("Location: index.php");
}
catch(PDOException $error) {
echo $sql . "<br>" . $error->getMessage();
}
}
You have two issues here. 您在这里有两个问题。 The first, and more important is your use of prepared statements. 首先,也是更重要的是您使用准备好的语句。 All values in the query itself should be bound. 查询本身中的所有值都应绑定。 So your query should really be: 因此,您的查询实际上应该是:
$updated_number = array($firstname, $lastname, $email, $phonenumber, $id);
$sql = sprintf("UPDATE %s
SET firstname = ?, lastname = ?, email = ?, phonenumber = ?
WHERE id = ?",
"people");
The second is your sprintf
usage. 第二个是您的sprintf
用法。
WHERE id = %s
The %s
is a string, %d
is for an integer. %s
是字符串, %d
是整数。 With correct prepared statements this isn't needed though. 使用正确的预备语句,这不是必需的。 If "people"
isn't a variable and being built dynamically I think it would be easier to just build that whole query as a normal string. 如果"people"
不是变量并且是动态构建的,我认为将整个查询构建为普通字符串会更容易。 eg 例如
$sql = 'UPDATE people
SET firstname = ?, lastname = ?, email = ?, phonenumber = ?
WHERE id = ?';
Don't use sprintf
for building SQL statements as it opens your code up to SQL Injection attacks, it is better to use prepared statements which would looks something like this: 不要使用sprintf
来构建SQL语句,因为它会使您的代码容易受到SQL Injection攻击,最好使用准备好的语句,如下所示:
$sql = "UPDATE `people` SET `firstname` = :firstname, `lastname` = :lastname, `email` = :email, `phonenumber` = :phonenumber WHERE `id` = :id;"
$statement = $connection->prepare($sql);
$statement->bindParam(':firstname', $firstname);
$statement->bindParam(':lastname', $lastname);
$statement->bindParam(':email', $email);
$statement->bindParam(':phonenumber', $phonenumber);
$statement->bindParam(':id', $id);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.