無法運行查詢：SQLSTATE [42000]：語法錯誤或訪問沖突：1064 SQL語法有錯誤

Question

無法運行查詢：SQLSTATE [42000]：語法錯誤或訪問沖突：1064您的SQL語法有錯誤；您可能無法使用它。 檢查與您的MySQL服務器版本對應的手冊以獲取正確的語法，以便在第4行的'telephone ='952 123 123'mobiletelephone ='655 000 000''附近使用

有人可以幫忙嗎？

 <?php 

// First we execute our common code to connection to the database and start the session 
require("common.php"); 

// At the top of the page we check to see whether the user is logged in or not 
if(empty($_SESSION['user'])) 
{ 
    // If they are not, we redirect them to the login page. 
    header("Location: login.php"); 

    // Remember that this die statement is absolutely critical.  Without it, 
    // people can view your members-only content without logging in. 
    die("Redirecting to login.php"); 
} 

// This if statement checks to determine whether the edit form has been submitted 
// If it has, then the account updating code is run, otherwise the form is displayed 
if(!empty($_POST)) 
{ 
    // Make sure the user entered a valid E-Mail address 
    if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) 
    { 
        die("Invalid E-Mail Address"); 
    } 

    // If the user is changing their E-Mail address, we need to make sure that 
    // the new value does not conflict with a value that is already in the system. 
    // If the user is not changing their E-Mail address this check is not needed. 
    if($_POST['email'] != $_SESSION['user']['email']) 
    { 
        // Define our SQL query 
        $query = " 
            SELECT 
                1 
            FROM users 
            WHERE 
                email = :email AND
                telephone = :telephone AND
                mobiletelephone = :mobiletelephone
        "; 

        // Define our query parameter values 
        $query_params = array( 
            ':email' => $_POST['email'] 
        ); 

        try 
        { 
            // Execute the query 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex) 
        { 
            // Note: On a production website, you should not output $ex->getMessage(). 
            // It may provide an attacker with helpful information about your code.  
            die("Failed to run query: " . $ex->getMessage()); 
        } 

        // Retrieve results (if any) 
        $row = $stmt->fetch(); 
        if($row) 
        { 
            die("This E-Mail address is already in use"); 
        } 
    } 

    // If the user entered a new password, we need to hash it and generate a fresh salt 
    // for good measure. 
    if(!empty($_POST['password'])) 
    { 
        $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 
        $password = hash('sha256', $_POST['password'] . $salt); 
        for($round = 0; $round < 65536; $round++) 
        { 
            $password = hash('sha256', $password . $salt); 
        } 
    } 
    else 
    { 
        // If the user did not enter a new password we will not update their old one. 
        $password = null; 
        $salt = null; 
    } 

    // Initial query parameter values 
    $query_params = array( 
        ':email' => $_POST['email'], 
        ':telephone' => $_POST['telephone'],
        ':mobiletelephone' => $_POST['mobiletelephone'],
        ':user_id' => $_SESSION['user']['id'], 
    ); 

    // If the user is changing their password, then we need parameter values 
    // for the new password hash and salt too. 
    if($password !== null) 
    { 
        $query_params[':password'] = $password; 
        $query_params[':salt'] = $salt; 
    } 

    // Note how this is only first half of the necessary update query.  We will dynamically 
    // construct the rest of it depending on whether or not the user is changing 
    // their password. 
    $query = " 
        UPDATE users 
        SET 
            email = :email,
            telephone = :telephone,
            mobiletelephone = :mobiletelephone


    "; 

    // If the user is changing their password, then we extend the SQL query 
    // to include the password and salt columns and parameter tokens too. 
    if($password !== null) 
    { 
        $query .= " 
            , password = :password 
            , salt = :salt 
        "; 
    } 

    // Finally we finish the update query by specifying that we only wish 
    // to update the one record with for the current user. 
    $query .= " 
        WHERE 
            id = :user_id 
    "; 

    try 
    { 
        // Execute the query 
        $stmt = $db->prepare($query); 
        $result = $stmt->execute($query_params); 
    } 
    catch(PDOException $ex) 
    { 
        // Note: On a production website, you should not output $ex->getMessage(). 
        // It may provide an attacker with helpful information about your code.  
        die("Failed to run query: " . $ex->getMessage()); 
    } 

    // Now that the user's E-Mail address has changed, the data stored in the $_SESSION 
    // array is stale; we need to update it so that it is accurate. 
    $_SESSION['user']['email'] = $_POST['email']; 
    $_SESSION['user']['telephone'] = $_POST['telephone'];
    $_SESSION['user']['mobiletelephone'] = $_POST['mobiletelephone'];

    // This redirects the user back to the members-only page after they register 
    header("Location: members.php"); 

    // Calling die or exit after performing a redirect using the header function 
    // is critical.  The rest of your PHP script will continue to execute and 
    // will be sent to the user if you do not die or exit. 
    die("Redirecting to members.php"); 
} 

?>

Answer 1

如錯誤消息所述，您的SQL查詢中存在語法錯誤：

SELECT 
    1 
FROM users 
 WHERE 
    email = :email 
    telephone = :telephone
    mobiletelephone = :mobiletelephone

您需要將WHERE子句與一些邏輯運算符結合在一起。 例如，如果查詢中所有這三個子句都必須為真，則可以使用AND運算符：

SELECT 
    1 
FROM users 
 WHERE 
    email = :email AND
    telephone = :telephone AND
    mobiletelephone = :mobiletelephone

同樣，您的UPDATE查詢需要用逗號分隔要更新的字段：

UPDATE users 
SET 
    email = :email,
    telephone = :telephone,
    mobiletelephone = :mobiletelephone

（注意：在執行該查詢之后，您看起來像是將更多字段附加到SET子句。您需要確保在構造整個查詢時，每個查詢都由逗號分隔。）