All the server details are put correctly, and the connection does happen properly, I cannot seem to find the syntax error that shows up in the output.
<?php
ob_start();
$phn=$_GET['phn'];
$con = mysql_connect("<server>","<user>","<pass>") or die('error' . mysql_error());
$db_selected = mysql_select_db('<db name>', $con);
if (!$db_selected) {
die ('Can\'t use user : ' . mysql_error());
}
$characters = 'abcdefghijklmnopqrstuvwxyz0123456789';
$key= '';
for ($i = 0; $i < 9; $i++) {
$key.= $characters[rand(0, strlen($characters) - 1)];
}
echo $key;
$sql="INSERT INTO buser (phone, key) VALUES (".$phn.",'".$key."')";
if($result = mysql_query($sql ,$con) or die ('Error: '.mysql_error ()))
{
$q="SELECT * FROM buser WHERE phone=$phn";
$idd=mysql_query($q,$con) or die ('Error: '.mysql_error ());
while($row = mysql_fetch_assoc($idd))
{
$id=$row['bid'];
}
}
?>
Output:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key) VALUES (9999,'ywfjj2dtc')' at line 1
KEY
is a MySQL reserved keyword . You must enclose it in backticks to use it as a column or table identifier.
$sql="INSERT INTO buser (phone, `key`) VALUES (".$phn.",'".$key."')";
Your script is vulnerable to SQL injection in its current form. At a minimum, you must call mysql_real_escape_string()
on the value of $phn
.
$phn = mysql_real_escape_string($_GET['phn']);
In the long term, consider switching to an API which supports prepared statements, like MySQLi or PDO.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.