[英]MySQL syntax:You have an error in your SQL syntax
I have written a very simple function: 我写了一个非常简单的函数:
function editCategory() {
$ID = urlencode($_GET['id']);
$cname = mysql_fix_string($_POST['cname']);
$kabst = mysql_fix_string($_POST['kabst']);
$kselect = $_POST['kselect'];
$subsl = $_POST['subsl'];
$kradio = $_POST['kradio'];
$ksubmit = $_POST['ksubmit'];
if (isset($ksubmit)) {
$query = "UPDATE category SET name = '$cname', description = '$kabst', published = '$kselect', home = '$kradio', subcat = '$subsl' WHERE id = $ID ";
$result = mysql_query($query);
if (mysql_affected_rows () == 1) {
echo "ok";
}
else{
echo mysql_error();
}
}
}
function mysql_fix_string($string)
{
if (get_magic_quotes_gpc())
$string = stripslashes(($string));
return mysql_real_escape_string($string);
}
Error: 错误:
You have an error in your SQL syntax;
您的SQL语法有误; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
检查与您的MySQL服务器版本相对应的手册,以在第1行的''附近使用正确的语法
What is wrong? 怎么了?
$ID = intval($_GET['id']); //using urlencode here is weird
$cname = mysql_real_escape_string($_POST['cname']);
//and the same for the rest ALL.
$kradio = mysql_real_escape_string($_POST['kradio']);
Also, 也,
$ksubmit = $_POST['ksubmit'];
if (isset($ksubmit)) {
is senseless. 毫无意义。 $ksubmit would be always set it should be
$ ksubmit将始终设置为
if (isset($_POST['ksubmit'])) {
To be sure you have all variables, please add these lines at the top of the script: 为确保您拥有所有变量,请在脚本顶部添加以下行:
ini_set('display_errors',1);
error_reporting(E_ALL);
You have to make sure that : 您必须确保:
mysql_real_escape_string
mysql_real_escape_string
Here, you should probably : 在这里,您可能应该:
intval()
on $_GET['id']
$_GET['id']
上使用intval()
mysql_real_escape_string
on some other fields. mysql_real_escape_string
。
id
are enclosed with single-quotes, I'd say you have to use mysql_real_escape_string
on all fields -- except id
, of course. id
以外的所有字段都用单引号引起来,我想说您必须在所有字段上使用mysql_real_escape_string
,当然,除了id
。
As a sidenote : 作为旁注:
$_GET
for id
$_GET
作为id
$_POST
for everything else. $_POST
用于其他所有内容。 Is that on purpose ? 那是故意的吗?
Sounds like an empty variable. 听起来像一个空变量。
And do something against SQL injection, everybody can hack your database. 并针对SQL注入进行一些操作,每个人都可以入侵您的数据库。 With a little luck, you're the one killing your database... Use mysql_real_escape_string() for all user input into your queries.
幸运的是,您是一个杀死数据库的人...将mysql_real_escape_string()用于查询中的所有用户输入。
Here is an example of a very simple CRU D application, just to show how to pass an id: 这是一个非常简单的CRU
D应用程序的示例,仅用于说明如何传递ID:
<?
mysql_connect();
mysql_select_db("new");
$table="test";
if($_SERVER['REQUEST_METHOD']=='POST') { //form handler part:
$name = mysql_real_escape_string($_POST['name']);
if ($id=intval($_POST['id'])) {
$query="UPDATE $table SET name='$name' WHERE id=$id";
} else {
$query="INSERT INTO $table SET name='$name'";
}
mysql_query($query) or trigger_error(mysql_error()." in ".$query);
header("Location: http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
exit;
}
if (!isset($_GET['id'])) { //listing part:
$LIST=array();
$query="SELECT * FROM $table";
$res=mysql_query($query);
while($row=mysql_fetch_assoc($res)) $LIST[]=$row;
include 'list.php';
} else { // form displaying part:
if ($id=intval($_GET['id'])) {
$query="SELECT * FROM $table WHERE id=$id";
$res=mysql_query($query);
$row=mysql_fetch_assoc($res);
foreach ($row as $k => $v) $row[$k]=htmlspecialchars($v);
} else {
$row['name']='';
$row['id']=0;
}
include 'form.php';
}
?>
File form.php: 文件form.php:
<form method="POST">
<input type="text" name="name" value="<?=$row['name']?>"><br>
<input type="hidden" name="id" value="<?=$row['id']?>">
<input type="submit"><br>
<a href="?">Return to the list</a>
</form>
File list.php: 文件list.php:
<a href="?id=0">Add item</a>
<? foreach ($LIST as $row): ?>
<li><a href="?id=<?=$row['id']?>"><?=$row['name']?></a>
<? endforeach ?>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.