堆栈内存溢出
  简体   繁体   English

尽管一切正确,但MySQL查询语法错误

[英]MySql query syntax error despite everything being correct

 原文  2013-02-04 15:45:47       php/ mysql

问题描述

All the server details are put correctly, and the connection does happen properly, I cannot seem to find the syntax error that shows up in the output. 所有服务器详细信息都正确放置,并且连接确实发生了,我似乎找不到输出中显示的语法错误。 

<?php
    ob_start();
    $phn=$_GET['phn'];
    $con = mysql_connect("<server>","<user>","<pass>") or die('error' . mysql_error());
    $db_selected = mysql_select_db('<db name>', $con);
    if (!$db_selected) {
        die ('Can\'t use user : ' . mysql_error());
    }
    $characters = 'abcdefghijklmnopqrstuvwxyz0123456789';
     $key= '';
     for ($i = 0; $i < 9; $i++) {
          $key.= $characters[rand(0, strlen($characters) - 1)];
     }
     echo $key;
    $sql="INSERT INTO buser (phone, key) VALUES (".$phn.",'".$key."')";
    if($result = mysql_query($sql ,$con) or die ('Error: '.mysql_error ()))
    {
    $q="SELECT * FROM buser WHERE phone=$phn";
    $idd=mysql_query($q,$con) or die ('Error: '.mysql_error ());
    while($row = mysql_fetch_assoc($idd))
      {
      $id=$row['bid'];
      }
    }
     ?>

Output: 输出:

Error: You have an error in your SQL syntax; 错误:您的SQL语法有错误; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key) VALUES (9999,'ywfjj2dtc')' at line 1 检查与您的MySQL服务器版本相对应的手册,以在第1行的'key)VALUES(9999,'ywfjj2dtc')'附近使用正确的语法

1 个解决方案

解决方案1
 5 已采纳  

KEY is a MySQL reserved keyword . KEYMySQL的保留关键字 You must enclose it in backticks to use it as a column or table identifier. 您必须将其括在反引号中,才能用作列或表的标识符。 

$sql="INSERT INTO buser (phone, `key`) VALUES (".$phn.",'".$key."')";

Your script is vulnerable to SQL injection in its current form. 您的脚本容易受到当前形式的SQL注入的攻击。 At a minimum, you must call mysql_real_escape_string() on the value of $phn . 至少必须$phn的值调用mysql_real_escape_string() 

$phn = mysql_real_escape_string($_GET['phn']);

In the long term, consider switching to an API which supports prepared statements, like MySQLi or PDO. 从长远来看,考虑切换到支持预准备语句的API,例如MySQLi或PDO。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 mysql SELECT 查询返回错误,语法正确 - mysql SELECT query returning error with correct syntax MySQL和PHP查询正确语法 - Mysql & PHP Correct Syntax For Query 有关MySQL查询的正确语法的帮助 - Help on correct Syntax for a MySQL Query 即使查询语法正确,MySQL也会抛出错误 - MySQL throws error even though query syntax is correct MySQL UPDATE语法错误-一切正常吗? - MySQL UPDATE syntax error - Everything is ok? MySQL访问被拒绝错误,但一切正确! - MySQL access denied error but everything is correct! mysql查询语法错误 - error with mysql query syntax MySQL查询-语法错误 - MySql query - syntax error MySQL查询的语法错误 - Syntax Error with MySQL Query MySQL查询语法错误 - Mysql query error with syntax
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM