[英]PHP PDO statement throwing fatal error
I have a function which is throwing an unusual error regarding a syntax issue. 我有一个函数引发关于语法问题的异常错误。 Have a look.
看一看。
public static function authenticate($_user, $_pass)
{
$sql = 'SELECT password, key
FROM users
WHERE username = ' . $_user;
$stm = Db::init()->prepare($sql);
if ($stm->execute())
return $stm->fetch(PDO::FETCH_ASSOC);
}
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax;
致命错误:消息为“ SQLSTATE [42000]”的未捕获的异常“ PDOException”:语法错误或访问冲突:1064 SQL语法有错误; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key FROM users WHERE username = testuser1' at line 1' in /class.php:111
检查与您的MySQL服务器版本对应的手册以获取正确的语法,以在/class.php:111中的“第1行的FROM FROM users WHERE username = testuser1'附近”使用
Stack trace:
堆栈跟踪:
#0 /class.php(111): PDOStatement->execute()#0 /class.php(111):PDOStatement-> execute()
#1 /class.php(118): Password::authenticate('testuser1', 'test')#1 /class.php(118):密码:: authenticate('testuser1','test')
#2 {main} thrown in /class.php on line 111#111 {main}在第111行的/class.php中抛出
Any ideas as to what this means? 关于这意味着什么的任何想法?
key
is a reserved word in sql. key
是sql中的保留字。 Surround it with backticks in your query. 在查询中用反引号将其引起来。 Like this:
像这样:
public static function authenticate($_user, $_pass)
{
$sql = 'SELECT password, `key`
FROM users
WHERE username = ' . $_user;
$stm = Db::init()->prepare($sql);
if ($stm->execute())
return $stm->fetch(PDO::FETCH_ASSOC);
}
BTW: You have a SQL injection vulnerability in your code. 顺便说一句:您的代码中存在一个SQL注入漏洞。 Use a parameterized query to bind the value of
$_user
. 使用参数化查询绑定
$_user
的值。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.