stackoom
  简体   繁体   中英

MySQL syntax error?

 原文  2017-03-17 10:57:03       php/ mysql

Question

I'm using a developer to help me build a site - and I'm getting an error relating to a webform when I use the text: I'm

Further details:

“You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'm', team_member_pic = ''' at line 7”

that he can't solve. He's suggesting it's the version of MySQL (5.5.23) on my webhost (Hostgator) - because the code seems to work okay on his server with MYSQL 5.5.xx at (GoDaddy)

The code he's applying is as follows: 

$insert = "INSERT INTO ".TABLE_PREFIX."host_manager_team_members SET 
                    user_id = '".$_REQUEST['id']."',
                    team_member_firstname =     
'".addslashes($_REQUEST['team_member_firstname'])."',
                    team_member_surname = 
'".addslashes($_REQUEST['team_member_surname'])."',
                    team_member_email = 
'".addslashes($_REQUEST['team_member_email'])."',
                    team_member_phone = 
'".addslashes($_REQUEST['team_member_phone'])."',
                    team_member_desc = 
'".mysql_real_escape_string($_REQUEST['team_member_desc'])."',
                    team_member_pic = '".$filepath."'";

mysql_query($insert) or die(mysql_error());

Can anyone give some guidance on what could be causing this error? Would really appreciate any thoughts/ideas you would have.

2 answers

solution1
 2  2017-03-17 11:25:18

Use sprintf like this 

$insert = sprintf("INSERT INTO ".TABLE_PREFIX."host_manager_team_members SET 
                    user_id = '%s',
                    team_member_firstname =     
'%s',
                    team_member_surname = 
'%s',
                    team_member_email = 
'%s',
                    team_member_phone = 
'%s',
                    team_member_desc = 
'%s',
                    team_member_pic = '%s'",$_REQUEST['id'],addslashes($_REQUEST['team_member_firstname']),addslashes($_REQUEST['team_member_surname']),addslashes($_REQUEST['team_member_email']),addslashes($_REQUEST['team_member_phone']),mysql_real_escape_string($_REQUEST['team_member_desc']),$filepath);

mysql_query($insert) or die(mysql_error());

solution2
 0  2017-03-18 01:41:21

Your code is just about as vulnerable as it can be:

  • Don't use $_REQUEST , as you don't know where the data is coming from. It is a combination of $_GET , $_POST and $_COOKIE , and it makes it very easy for a user to inject their own additional data by simply appending ?evilstuff=hahaha to the URL.
  • Don't use mysql_ functions. They are deprecated and removed in PHP7. That's good because MySQL4, for which the original functions were created, did not have the more secure features implemented later.
  • Don't use addslashes . It a poor attempt to escape strings against the possibility of SQL injection. If you must do it the old way, use one of the real_escape_string functions. Better still:
  • Always use prepared statements when accommodating user data. Preparing the statement results in interpreting the SQL before data has been injected, so any additional data, even if it looks like SQL, will be treated as pure data only.

Finally,

  • It is much easier to use PDO, which has been available since PHP 5.

Here is an alternative using PDO & prepared statements: 

$table=TABLE_PREFIX.'host_manager_team_members';
$insert = "INSERT INTO $table SET  user_id = ?, team_member_firstname = ?,
    team_member_surname = ?, team_member_email = ?, team_member_phone = ?,
    team_member_desc = ?, team_member_pic = ?";
$prepared=$pdo->prepare($insert);
$prepared->execute(array(
    $_REQUEST['id'],
    $_REQUEST['team_member_firstname'],
    $_REQUEST['team_member_surname'],
    $_REQUEST['team_member_email'],
    $_REQUEST['team_member_phone']
    $_REQUEST['team_member_desc'],
    $filepath
));

The SQL statement is much easier to debug when you can see it by itself.

Note that you do not put quotes around the string values in a prepared statement. This is because quotes are only required for strings when they are constructed in code. By the time the prepared statement gets the data, the string has already been constructed.

I have also used a double quoted string to allow the interpolation of a variable which is not user-generated .

I see that you're using a quirky MySQL extension to the INSERT statement, which is by no means universally supported. Perhaps you should try the more standard syntax: 

$insert = "INSERT INTO $table user_id (team_member_firstname,
    team_member_surname, team_member_email, team_member_phone,
    team_member_desc, team_member_pic)
    VALUES(?,?,?,?,?,?)";

Finally, to answer your question, it is quite possible that the error is caused by the data itself. What you need to do is print the contents of your string generated string, and then run that though MySQL directly (possibly using the SQL tab in PHPMySQL).

So, even without doing any of the above, you should try: 

print $insert;
exit;

Perhaps you could try this and post the results here.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question MySQL Syntax Error Error Debugging a MYSQL syntax error mySQL error on syntax MySQL NOW() Syntax error mySQL query syntax error? Syntax error on MySQL MySQL Transaction Syntax Error MySql syntax error, insert PHP MySQL Syntax Error MySQL syntax error
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM