在PHP中使用MySQL查詢語法錯誤

Question

iPhone代碼

當我使用此代碼時，它總是顯示錯誤密碼，但我輸入的是正確的憑據。

    NSString *post =[NSString stringWithFormat:@"UserName=%@&UserPas   sword=%@",userNameTextField.text, userPasswordTextFiled.text];

    NSString *hostStr = @"http://www.celeritas-solutions.com/emrapp/connect.php";
     = [hostStr stringByAppendingString:post];
    NSData *dataURL =  [NSData dataWithContentsOfURL: [ NSURL URLWithString: hostStr ]];    
    NSString *serverOutput = [[NSString alloc] initWithData:dataURL encoding: NSASCIIStringEncoding];
    if([serverOutput isEqualToString:@"Yes"]){
           UIAlertView *alertsuccess = [[UIAlertView alloc] initWithTitle:@"Congrats" message:@"You are authorized "
                                                          delegate:self cancelButtonTitle:@"OK" otherButtonTitles:nil, nil];
       [alertsuccess show];
           [alertsuccess release];


    } else {
            UIAlertView *alertsuccess = [[UIAlertView alloc] initWithTitle:@"Error" message:@"Username or Password Incorrect"
                                                          delegate:self cancelButtonTitle:@"OK" otherButtonTitles:nil, nil];
            [alertsuccess show];
            [alertsuccess release];

    }

我正在從數據庫獲取驗證用戶名和密碼，但它給出了SQL語法錯誤，

   You have an error in your SQL syntax; check the manual that corresponds to your   MySQLserver version for the right syntax to use near 'AND UserPassword=' at line 1

  mysql_select_db("emriphone", $con);


  $u=$_GET['UserName'];
  $pw=$_GET['UserPassword'];

   $check ="SELECT UserName,UserPassword from appUsers WHERE UserName=$u AND UserPassword=$pw";

  $login=mysql_query($check,$con) or die(mysql_error());

  if(mysql_num_rows($login)==1){

  $row =mysql_fetch_assoc($login);
  echo 'YES'; exit;
   }

 else{
   echo'NO';exit;
  }

 mysql_connect($con);

Answer 1

您需要在查詢中放置單引號-

$check ="SELECT UserName, UserPassword 
         FROM   appUsers 
         WHERE UserName='$u'           
         AND UserPassword='$pw'";      // These are probably varchar data columns 
                                       // in your db. In that case, you should 
                                       // put single quotes like this.

在數據庫中搜索文本字段時，應在其周圍加上單引號。 否則，MySQL會將其報告為錯誤。

Answer 2

也許您需要在where子句中的用戶名和密碼參數周圍添加單引號，因為我假設它們是字符串。 在MySQL中，您需要將字符串用單引號引起來。

Answer 3

假設用戶名和密碼是文本字段，則應按以下說明更正

$check ="SELECT UserName,UserPassword from appUsers WHERE UserName=$u AND UserPassword=$pw";

至

$check ="SELECT UserName,UserPassword from appUsers WHERE UserName='$u' AND UserPassword='$pw'";

包括用戶名和密碼的單引號

Answer 4

在查詢中對變量使用單引號''

希望這對您有所幫助。

Answer 5

 $check ="SELECT UserName,UserPassword from appUsers WHERE UserName=$u AND UserPassword=$pw";

並且由於您使用的是mysql，請確保使用以下命令針對SQL注入清除用戶名和密碼：

$u = mysql_real_escape_string($_GET['UserName']);
$pw = mysql_real_escape_string($_GET['UserPassword']);

最后的想法； 使用POST而不是GET登錄頁面； D呵呵

Answer 6

保護自己免受SQL注入

$query = sprintf("SELECT UserName,UserPassword from appUsers WHERE UserName='%s' AND UserPassword='%s'", mysql_real_escape_string($u),mysql_real_escape_string($pw));