堆栈内存溢出
  简体   繁体   English

MySQL语法:SQL语法有误

[英]MySQL syntax:You have an error in your SQL syntax

 原文  2010-04-03 13:49:36       php/ mysql/ mysql-error-1064

问题描述

I have written a very simple function: 我写了一个非常简单的函数: 

function editCategory() {
    $ID         = urlencode($_GET['id']);
    $cname   = mysql_fix_string($_POST['cname']);
    $kabst   = mysql_fix_string($_POST['kabst']);
    $kselect    = $_POST['kselect'];
    $subsl      = $_POST['subsl'];
    $kradio     = $_POST['kradio'];
    $ksubmit    = $_POST['ksubmit'];

    if (isset($ksubmit)) {
        $query = "UPDATE category SET name = '$cname', description = '$kabst', published = '$kselect',  home = '$kradio', subcat = '$subsl'  WHERE id = $ID ";

        $result = mysql_query($query);
        if (mysql_affected_rows () == 1) {
            echo "ok";
        }
        else{
            echo mysql_error();
        }
    }
}

function mysql_fix_string($string)
{
    if (get_magic_quotes_gpc())
        $string = stripslashes(($string));
    return mysql_real_escape_string($string);
}

Error: 错误:

You have an error in your SQL syntax; 您的SQL语法有误; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 检查与您的MySQL服务器版本相对应的手册,以在第1行的''附近使用正确的语法

What is wrong? 怎么了?

4 个解决方案

解决方案1
 6  2010-04-03 13:56:45

$ID         = intval($_GET['id']); //using urlencode here is weird
$cname      =  mysql_real_escape_string($_POST['cname']); 
//and the same for the rest ALL.
$kradio     = mysql_real_escape_string($_POST['kradio']);

Also, 也, 

$ksubmit    = $_POST['ksubmit']; 
if (isset($ksubmit)) {

is senseless. 毫无意义。 $ksubmit would be always set it should be $ ksubmit将始终设置为 

if (isset($_POST['ksubmit'])) {

To be sure you have all variables, please add these lines at the top of the script: 为确保您拥有所有变量,请在脚本顶部添加以下行: 

ini_set('display_errors',1);
error_reporting(E_ALL);

解决方案2
 1  2010-04-03 13:59:11

You have to make sure that : 您必须确保:

  • For fields that are strings (varchar/char) in the DB : 对于数据库中字符串(varchar / char)的字段:
    • the values you're passing are properly enclosed with quotes 您传递的值正确地用引号引起来
    • the content of the values you're passing must be escaped : if there is a quote in what the user POSTed, it must be escaped -- see mysql_real_escape_string 您传递的值的内容必须转义:如果用户发布的内容中有引号,则必须转义-请参见mysql_real_escape_string
  • For fields that are integers in the DB : 对于在DB中为整数的字段:
    • You must pass integer values 您必须传递整数值
    • which can be ensured by calling intval on the values POSTed by the user 这可以通过在用户发布的值上调用intval来确保


Here, you should probably : 在这里,您可能应该:

  • Use intval() on $_GET['id'] $_GET['id']上使用intval()
  • Use mysql_real_escape_string on some other fields. 在其他一些字段上使用mysql_real_escape_string
    • JUdging from the query, in which all fields, except id are enclosed with single-quotes, I'd say you have to use mysql_real_escape_string on all fields -- except id , of course. 从查询来看,其中除id以外的所有字段都用单引号引起来,我想说您必须在所有字段上使用mysql_real_escape_string ,当然,除了id


As a sidenote : 作为旁注:

  • You are using $_GET for id 您正在使用$_GET作为id
  • And $_POST for everything else. $_POST用于其他所有内容。

Is that on purpose ? 那是故意的吗?

解决方案3
 0  2010-04-03 13:58:17

Sounds like an empty variable. 听起来像一个空变量。

And do something against SQL injection, everybody can hack your database. 并针对SQL注入进行一些操作,每个人都可以入侵您的数据库。 With a little luck, you're the one killing your database... Use mysql_real_escape_string() for all user input into your queries. 幸运的是,您是一个杀死数据库的人...将mysql_real_escape_string()用于查询中的所有用户输入。

解决方案4
 0 已采纳  2010-04-03 15:14:35

Here is an example of a very simple CRU D application, just to show how to pass an id: 这是一个非常简单的CRU D应用程序的示例,仅用于说明如何传递ID: 

<?
mysql_connect();
mysql_select_db("new");
$table="test";
if($_SERVER['REQUEST_METHOD']=='POST') { //form handler part:
  $name = mysql_real_escape_string($_POST['name']);
  if ($id=intval($_POST['id'])) {
    $query="UPDATE $table SET name='$name' WHERE id=$id";
  } else {
    $query="INSERT INTO $table SET name='$name'";
  }
  mysql_query($query) or trigger_error(mysql_error()." in ".$query);
  header("Location: http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
  exit;
}
if (!isset($_GET['id'])) { //listing part:
  $LIST=array();
  $query="SELECT * FROM $table";
  $res=mysql_query($query);
  while($row=mysql_fetch_assoc($res)) $LIST[]=$row;
  include 'list.php';
} else { // form displaying part:

  if ($id=intval($_GET['id'])) {
    $query="SELECT * FROM $table WHERE id=$id";
    $res=mysql_query($query);
    $row=mysql_fetch_assoc($res);
    foreach ($row as $k => $v) $row[$k]=htmlspecialchars($v);
  } else {
    $row['name']='';
    $row['id']=0;
  }
  include 'form.php';
}
?>

File form.php: 文件form.php: 

<form method="POST">
<input type="text" name="name" value="<?=$row['name']?>"><br>
<input type="hidden" name="id" value="<?=$row['id']?>">
<input type="submit"><br>
<a href="?">Return to the list</a>
</form>

File list.php: 文件list.php: 

<a href="?id=0">Add item</a>
<? foreach ($LIST as $row): ?>
<li><a href="?id=<?=$row['id']?>"><?=$row['name']?></a>
<? endforeach ?>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 MySQL语法:您的SQL语法有误... - MySQL syntax:You have an error in your SQL syntax… MySQL错误-插入时“您的SQL语法有错误” - MySQL Error - “You have an error in your SQL syntax” on insert PHP mysql 连接错误:您的 SQL 语法有错误 - PHP mysql connection error : You have an error in your SQL syntax MySQL查询出错:“您的SQL语法出错; ......” - Error in MySQL Query: “You have an error in your SQL syntax; …” 收到“您的SQL语法有错误”错误-PHP,MySQL - Getting “You have an error in your SQL syntax” error - PHP, MySQL mySQL错误:您的SQL语法有错误(ENGINE = MyISAM) - mySQL error: You have an error in your SQL syntax (ENGINE=MyISAM) MySQL错误 - “您的SQL语法中有错误” - MySQL error - “You have an error in your SQL syntax” MySQL错误:&#39;你的SQL语法有错误&#39; - MySQL error: ' You have an error in your SQL syntax' MySQL说:文档(#1064)-您的SQL语法有错误; - MySQL said: Documentation (#1064) - You have an error in your SQL syntax; 您的SQL语法有误-PHP MYSQL - You have an error in your SQL syntax - PHP MYSQL
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM