无法解决这个错误

Question

Can you guys see any obvious error in this query? The error im getting is: `Unknown column 003ADF50 in field list. 003ADF50 wtf?

query << "UPDATE `record` SET `record` = " << lastRecord << ", `time` = " << time;

Answer 1

What looks to be happening here is that one of those values that you're injecting into your sql is coming up as 003ADF50. (Probably the time value?)

Brendan Long is correct: you should be using prepared statements to properly handle parameters in your SQL. Manually concatenating strings leads to quoting problems like you see here, which can be serious security problems in your code. The specific quoting problem you're running into here is that the parameters aren't quoted in your resulting query string. If you were typing the SQL manually into the mysql client, you'd say something like:

UPDATE `record` set `record` = 'foo';

If instead you left out the quotes on 'foo' , you'd have:

UPDATE `record` set `record` = foo;

which is trying to set the record column to the value of the foo column, rather than the literal string 'foo' . The same thing is happening with the SQL you're generating from your C++. Trying to solve this by manually adding quotes isn't a good idea -- what happens when the string parameter contains a quote character? The best thing to do is to use prepared statements.

Also, Google "little bobby tables" for a well-known XKCD comic about sql parameter injection, and consider what would happen if Bobby Tables' name found its way into one of your program's variables.