[英]MySQL query syntax error when used in PHP
iPhone代碼
當我使用此代碼時,它總是顯示錯誤密碼,但我輸入的是正確的憑據。
NSString *post =[NSString stringWithFormat:@"UserName=%@&UserPas sword=%@",userNameTextField.text, userPasswordTextFiled.text];
NSString *hostStr = @"http://www.celeritas-solutions.com/emrapp/connect.php";
= [hostStr stringByAppendingString:post];
NSData *dataURL = [NSData dataWithContentsOfURL: [ NSURL URLWithString: hostStr ]];
NSString *serverOutput = [[NSString alloc] initWithData:dataURL encoding: NSASCIIStringEncoding];
if([serverOutput isEqualToString:@"Yes"]){
UIAlertView *alertsuccess = [[UIAlertView alloc] initWithTitle:@"Congrats" message:@"You are authorized "
delegate:self cancelButtonTitle:@"OK" otherButtonTitles:nil, nil];
[alertsuccess show];
[alertsuccess release];
} else {
UIAlertView *alertsuccess = [[UIAlertView alloc] initWithTitle:@"Error" message:@"Username or Password Incorrect"
delegate:self cancelButtonTitle:@"OK" otherButtonTitles:nil, nil];
[alertsuccess show];
[alertsuccess release];
}
我正在從數據庫獲取驗證用戶名和密碼,但它給出了SQL語法錯誤,
You have an error in your SQL syntax; check the manual that corresponds to your MySQLserver version for the right syntax to use near 'AND UserPassword=' at line 1
mysql_select_db("emriphone", $con);
$u=$_GET['UserName'];
$pw=$_GET['UserPassword'];
$check ="SELECT UserName,UserPassword from appUsers WHERE UserName=$u AND UserPassword=$pw";
$login=mysql_query($check,$con) or die(mysql_error());
if(mysql_num_rows($login)==1){
$row =mysql_fetch_assoc($login);
echo 'YES'; exit;
}
else{
echo'NO';exit;
}
mysql_connect($con);
您需要在查詢中放置單引號-
$check ="SELECT UserName, UserPassword
FROM appUsers
WHERE UserName='$u'
AND UserPassword='$pw'"; // These are probably varchar data columns
// in your db. In that case, you should
// put single quotes like this.
在數據庫中搜索文本字段時,應在其周圍加上單引號。 否則,MySQL會將其報告為錯誤。
也許您需要在where子句中的用戶名和密碼參數周圍添加單引號,因為我假設它們是字符串。 在MySQL中,您需要將字符串用單引號引起來。
假設用戶名和密碼是文本字段,則應按以下說明更正
$check ="SELECT UserName,UserPassword from appUsers WHERE UserName=$u AND UserPassword=$pw";
至
$check ="SELECT UserName,UserPassword from appUsers WHERE UserName='$u' AND UserPassword='$pw'";
包括用戶名和密碼的單引號
在查詢中對變量使用單引號''
希望這對您有所幫助。
$check ="SELECT UserName,UserPassword from appUsers WHERE UserName=$u AND UserPassword=$pw";
並且由於您使用的是mysql,請確保使用以下命令針對SQL注入清除用戶名和密碼:
$u = mysql_real_escape_string($_GET['UserName']);
$pw = mysql_real_escape_string($_GET['UserPassword']);
最后的想法; 使用POST而不是GET登錄頁面; D呵呵
保護自己免受SQL注入
$query = sprintf("SELECT UserName,UserPassword from appUsers WHERE UserName='%s' AND UserPassword='%s'", mysql_real_escape_string($u),mysql_real_escape_string($pw));
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.