[英]Getting “You have an error in your SQL syntax” error - PHP, MySQL
I am writing an "Edit" page that gets the information from the database and show it in a form, and lets the user modify it by click Edit. 我正在编写一个“编辑”页面,该页面从数据库获取信息并以表格形式显示它,并允许用户单击“编辑”对其进行修改。 However, I am getting this error:
但是,我收到此错误:
You have an error in your SQL syntax;
您的SQL语法有误; check the manual that corresponds to your MySQL server version for the right syntax to use near 's notes ...' WHERE id = 2' at line 5
检查与您的MySQL服务器版本相对应的手册,以在第5行的'notes ...'WHERE id = 2'附近使用正确的语法
I've checked my code a lot in order to figure it out, but had no luck. 我已经检查了很多代码以弄清楚它,但是没有运气。 Here's my code :
这是我的代码:
<?php
if (isset($_POST["submit"])) {
$ind_name = $_POST["ind_name"];
$age = $_POST["age"];
$gender = $_POST["gender"];
$notes = $_POST["notes"];
$query = "UPDATE individual SET
ind_name = '{$ind_name}',
age = {$age},
gender = '{$gender}',
notes = '{$notes}'
WHERE id = {$_GET["ind"]} ";
$result = mysql_query($query);
if (mysql_affected_rows () == 1) {
header("Location: edit_ind.php?ind={$_GET["ind"]}");
} else {
echo "ERROR : " . mysql_error();
}
}
?>
And here's my html form code: 这是我的html表单代码:
<form action="edit_ind.php?ind=<?php echo $_GET["ind"]; ?>" method ="post" >
<div id="formWrapper_ind">
<label for="ind_name">Individual Name : </label>
<?php $ind_name_form = get_ind_info_ind("ind_name"); ?>
<input type="text" placeholder="Individual Name" name="ind_name" value="<?php echo $ind_name_form; ?>" required>
<br/>
<label for="age">Age : </label>
<?php $ind_age_form = get_ind_info_ind("age"); ?>
<input type="text" name="age" placeholder="Age" value="<?php echo $ind_age_form; ?>" required>
<br/>
<label for="gender">Gender : </label>
<div id="radios">
<?php $ind_gender_form = get_ind_info_ind("gender"); ?>
<p><input type="radio" name="gender" value="Male" <?php if ($ind_gender_form== 'Male') {echo "checked"; } ?>> Male
<input type="radio" name="gender" value="Female" <?php if ($ind_gender_form == 'Female') {echo "checked"; } ?>> Female</p>
</div>
<br/>
<label for="notes">Notes : </label>
<?php $ind_notes_form = get_ind_info_ind("notes"); ?>
<textarea placeholder="Individual Notes..." name="notes"><?php echo $ind_notes_form; ?></textarea>
<div id="buttons">
<input type="reset" value="Reset">
<input type="submit" name="submit" value="Done">
</div>
</div>
</form>
I can't find the syntactic error in my SQL code, please take a look at it. 我在SQL代码中找不到语法错误,请查看一下。 Thanks in advance.
提前致谢。
You need to escape all the variables used in the query: 您需要转义查询中使用的所有变量:
$ind_name = mysql_real_escape_string($_POST["ind_name"]);
$age = intval($_POST["age"]);
$gender = mysql_real_escape_string($_POST["gender"]);
$notes = mysql_real_escape_string($_POST["notes"]);
$ind = intval($_GET["ind"]);
$query = "UPDATE individual SET
ind_name = '$ind_name',
age = $age,
gender = '$gender',
notes = '$notes'
WHERE id = $ind";
您可以从输出查询开始。
您确定$_GET["ind"]}
是整数吗?
Change WHERE id = {$_GET["ind"]} ";
to this: 将
WHERE id = {$_GET["ind"]} ";
更改为此:
WHERE id = ". $_GET["ind"];
Please note that it's open for SQL injections!! 请注意,它对SQL注入开放!
Here is your problem: 这是您的问题:
WHERE id = {$_GET["ind"]} ";
You're using doublequotes. 您正在使用双引号。
You really shouldn't be playing with $_GET
this way: 您真的不应该这样玩
$_GET
:
$query = "UPDATE individual SET
ind_name = '{$ind_name}',
age = {$age},
gender = '{$gender}',
notes = '{$notes}'
WHERE id = {$_GET["ind"]} ";
I strongly suggest you to concat it like WHERE id = " . $_GET['ind'] . "";
我强烈建议您像
WHERE id = " . $_GET['ind'] . "";
You should be really careful with the code you just posted because it can easily be injected with malicious code. 您应该对刚刚发布的代码非常小心,因为它很容易被恶意代码注入。 Always sanitze your variables .
始终清理变量 。 Any input the user gives you assume it's BAD and they want to use it against your app.
用户提供的任何输入都假定您输入的内容是错误的,并且他们想对您的应用程序使用它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.