PHP / MySQL中的UPDATE查询失败,错误代码1064,SQLState 42000
[英]UPDATE Query in PHP/MySQL Failing with Error Code 1064, SQLState 42000
问题描述
When building my app, I made the create query with no trouble. 
在构建我的应用程序时,我毫不费力地进行了创建查询。 However, when I copied my PHP from the create file to the update file, I've been getting this error: 但是,当我将PHP从创建文件复制到更新文件时,出现了以下错误:
UPDATE people SET firstname = 'First', lastname = 'Last', email = 'test@mail.com', phonenumber = 1234567890 WHERE id = 1'
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax;
Usually, when I get this error, the error gives me an accurate place to fix up. 通常,当我收到此错误时,该错误为我提供了一个正确的修复位置。 Can anyone help me find this error? 谁能帮我找到这个错误?
update.sql: update.sql:
if (isset($_POST['submit'])) {
require "../resources/config.php";
require "../resources/common.php";
try {
$connection = new PDO($dsn, $username, $password, $options);
$id = $_GET['id'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$phonenumber = $_POST['phonenumber'];
$updated_number = array($firstname, $lastname, $email, $phonenumber);
$sql = sprintf(
"UPDATE %s SET firstname = '$firstname', lastname = '$lastname', email = '$email', phonenumber = $phonenumber WHERE id = %s",
"people",
$id
);
$statement = $connection->prepare($sql);
$statement->execute($updated_number);
header("Location: index.php");
}
catch(PDOException $error) {
echo $sql . "<br>" . $error->getMessage();
}
}
2 个解决方案
解决方案1
1 已采纳 2018-04-08 15:11:42
You have two issues here. 您在这里有两个问题。 The first, and more important is your use of prepared statements. 首先,也是更重要的是您使用准备好的语句。 All values in the query itself should be bound. 查询本身中的所有值都应绑定。 So your query should really be: 因此,您的查询实际上应该是:
$updated_number = array($firstname, $lastname, $email, $phonenumber, $id);
$sql = sprintf("UPDATE %s
SET firstname = ?, lastname = ?, email = ?, phonenumber = ?
WHERE id = ?",
"people");
The second is your sprintf usage. 第二个是您的sprintf用法。
WHERE id = %s
The %s is a string, %d is for an integer. %s是字符串, %d是整数。 With correct prepared statements this isn't needed though. 使用正确的预备语句,这不是必需的。 If "people" isn't a variable and being built dynamically I think it would be easier to just build that whole query as a normal string. 如果"people"不是变量并且是动态构建的,我认为将整个查询构建为普通字符串会更容易。 eg 例如
$sql = 'UPDATE people
SET firstname = ?, lastname = ?, email = ?, phonenumber = ?
WHERE id = ?';
解决方案2
1 2018-04-08 15:15:02
Don't use sprintf for building SQL statements as it opens your code up to SQL Injection attacks, it is better to use prepared statements which would looks something like this: 不要使用sprintf来构建SQL语句,因为它会使您的代码容易受到SQL Injection攻击,最好使用准备好的语句,如下所示:
$sql = "UPDATE `people` SET `firstname` = :firstname, `lastname` = :lastname, `email` = :email, `phonenumber` = :phonenumber WHERE `id` = :id;"
$statement = $connection->prepare($sql);
$statement->bindParam(':firstname', $firstname);
$statement->bindParam(':lastname', $lastname);
$statement->bindParam(':email', $email);
$statement->bindParam(':phonenumber', $phonenumber);
$statement->bindParam(':id', $id);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.