getting :
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Creed III', description='The plot is set in a fictional history of real ' at line 2
when trying to edit posts on a database.
heres my display and edit php:
$result = mysql_query("SELECT * FROM gallery");
while ($row = mysql_fetch_array( $result )){
// while looping thru each record…
// output each field anyway you like
$title = $row['title'] ;
$description = $row['description'];
$year = $row['year'];
$rating = $row['rating'];
$genre = $row['genre'];
$filename = $row['filename'];
$imageid = $row['imageid'];
include '../modules/edit_display.html';
}
// STEP 2: IF Update button is pressed , THEN UPDATE DB with the changes posted
if(isset($_POST['submit'])){
$thisTitle = $_POST['title'];
$thisDescription = $_POST['description'];
$thisYear = $POST['year'];
$thisRating = $POST['rating'];
$thisGenre = $POST['genre'];
$thisNewFilename = basename($_FILES['file']['name']);
$thisOneToEdit = $_POST['imageid'];
$thisfilename = $_POST['filename'];
if ($thisNewFilename == ""){
$thisNewFilename = $thisfilename ;
} else {
uploadImage();
createThumb($thisNewFilename , 120, "../uploads/thumbs120/");
}
$sql = "UPDATE gallery SET
title='$thisTitle',
description='$thisDescription',
year='$thisYear',
rating='$thisRating',
genre='$thisGenre',
filename='$thisNewFilename'
WHERE
imageid= $thisOneToEdit";
$result = mysql_query($sql) or die (mysql_error());
}
You're suffering from an imminent dose of SQL Injection due to using a dangerous user input model.
When you type "Assassin's Creed III" in the title
field, that gets placed in single quotes in the UPDATE
statement in your code (via the $_POST['title']
variable):
'Assassin's Creed III'
The problem there is that MySQL sees it as 'Assassin'
, followed by s Creed III'
. It doesn't know what to do with the latter.
Of course, this becomes a HUGE problem if someone types in valid SQL at that point, but not what you expected. Have a look at How can I prevent SQL injection in PHP? or any of several other advices on avoiding SQL Injection.
You have syntax error here. Use $_POST
instead of $POST
.
Replace
$thisYear = $POST['year'];
$thisRating = $POST['rating'];
$thisGenre = $POST['genre'];
With
$thisYear = $_POST['year'];
$thisRating = $_POST['rating'];
$thisGenre = $_POST['genre'];
我已经看到您正在将'
添加到数据库中,所以您需要使用addslashes()
对其进行转义
addslashes($thisTitle)
you need to escape your input like
$thisDescription = mysql_real_escape_string($_POST['description']);
do this for all input that contains quotation marks etc..
NOTE: mysql will soon be gone so its advised to write new code using mysqli instead
You have alot of issues in your script.
You're trying to add '
character to database, you need to escape it properly with addslashes
.
You're vulnerable to SQL Injection
. Escape it properly with mysql_real_escape_string
, or even better, use PDO
.
Third, it is $_POST
, not $POST
. You're using it wrong in some areas.
Add quotes to $thisOneToEdit
in query.
The error is causing because you're trying to add Assasin's Creed III
string to database. The single quote breaks your query and creates a syntax error.
在查询中使用它们之前,对可能包含单引号或双引号的值进行addslashes(),如下所示
$thisTitle = addslashes($_POST['title']);
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.