收到“您的SQL语法有错误”错误-PHP,MySQL
[英]Getting “You have an error in your SQL syntax” error - PHP, MySQL
问题描述
I am writing an "Edit" page that gets the information from the database and show it in a form, and lets the user modify it by click Edit. 
我正在编写一个“编辑”页面,该页面从数据库获取信息并以表格形式显示它,并允许用户单击“编辑”对其进行修改。 However, I am getting this error: 但是,我收到此错误:
You have an error in your SQL syntax;
I've checked my code a lot in order to figure it out, but had no luck. 我已经检查了很多代码以弄清楚它,但是没有运气。 Here's my code : 这是我的代码:
<?php
if (isset($_POST["submit"])) {
$ind_name = $_POST["ind_name"];
$age = $_POST["age"];
$gender = $_POST["gender"];
$notes = $_POST["notes"];
$query = "UPDATE individual SET
ind_name = '{$ind_name}',
age = {$age},
gender = '{$gender}',
notes = '{$notes}'
WHERE id = {$_GET["ind"]} ";
$result = mysql_query($query);
if (mysql_affected_rows () == 1) {
header("Location: edit_ind.php?ind={$_GET["ind"]}");
} else {
echo "ERROR : " . mysql_error();
}
}
?>
And here's my html form code: 这是我的html表单代码:
<form action="edit_ind.php?ind=<?php echo $_GET["ind"]; ?>" method ="post" >
<div id="formWrapper_ind">
<label for="ind_name">Individual Name : </label>
<?php $ind_name_form = get_ind_info_ind("ind_name"); ?>
<input type="text" placeholder="Individual Name" name="ind_name" value="<?php echo $ind_name_form; ?>" required>
<br/>
<label for="age">Age : </label>
<?php $ind_age_form = get_ind_info_ind("age"); ?>
<input type="text" name="age" placeholder="Age" value="<?php echo $ind_age_form; ?>" required>
<br/>
<label for="gender">Gender : </label>
<div id="radios">
<?php $ind_gender_form = get_ind_info_ind("gender"); ?>
<p><input type="radio" name="gender" value="Male" <?php if ($ind_gender_form== 'Male') {echo "checked"; } ?>> Male
<input type="radio" name="gender" value="Female" <?php if ($ind_gender_form == 'Female') {echo "checked"; } ?>> Female</p>
</div>
<br/>
<label for="notes">Notes : </label>
<?php $ind_notes_form = get_ind_info_ind("notes"); ?>
<textarea placeholder="Individual Notes..." name="notes"><?php echo $ind_notes_form; ?></textarea>
<div id="buttons">
<input type="reset" value="Reset">
<input type="submit" name="submit" value="Done">
</div>
</div>
</form>
I can't find the syntactic error in my SQL code, please take a look at it. 我在SQL代码中找不到语法错误,请查看一下。 Thanks in advance. 提前致谢。
6 个解决方案
解决方案1
2 已采纳 2011-04-18 19:37:23
You need to escape all the variables used in the query: 您需要转义查询中使用的所有变量:
$ind_name = mysql_real_escape_string($_POST["ind_name"]);
$age = intval($_POST["age"]);
$gender = mysql_real_escape_string($_POST["gender"]);
$notes = mysql_real_escape_string($_POST["notes"]);
$ind = intval($_GET["ind"]);
$query = "UPDATE individual SET
ind_name = '$ind_name',
age = $age,
gender = '$gender',
notes = '$notes'
WHERE id = $ind";
解决方案2
1 2011-04-18 19:33:46
您可以从输出查询开始。
解决方案3
1 2011-04-18 19:34:24
您确定$_GET["ind"]}是整数吗?
解决方案4
1 2011-04-18 19:34:49
Change WHERE id = {$_GET["ind"]} "; to this: 将WHERE id = {$_GET["ind"]} ";更改为此:
WHERE id = ". $_GET["ind"];
Please note that it's open for SQL injections!! 请注意,它对SQL注入开放!
解决方案5
1 2011-04-18 19:35:26
Here is your problem: 这是您的问题:
WHERE id = {$_GET["ind"]} ";
You're using doublequotes. 您正在使用双引号。
解决方案6
1 2011-04-18 19:36:59
You really shouldn't be playing with $_GET this way: 您真的不应该这样玩$_GET :
$query = "UPDATE individual SET
ind_name = '{$ind_name}',
age = {$age},
gender = '{$gender}',
notes = '{$notes}'
WHERE id = {$_GET["ind"]} ";
I strongly suggest you to concat it like WHERE id = " . $_GET['ind'] . ""; 我强烈建议您像WHERE id = " . $_GET['ind'] . "";
SQL injection SQL注入
You should be really careful with the code you just posted because it can easily be injected with malicious code. 您应该对刚刚发布的代码非常小心,因为它很容易被恶意代码注入。 Always sanitze your variables . 始终清理变量 。 Any input the user gives you assume it's BAD and they want to use it against your app. 用户提供的任何输入都假定您输入的内容是错误的,并且他们想对您的应用程序使用它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.