php 您的 SQL 语法有错误;检查与您的 MySQL 服务器版本相对应的手册,以获取在第 2 行的 '''')' 附近使用的正确语法
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11093634/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''')' at line 2
提问by Psinyee
I am getting an Error in MySQL:
我在 MySQL 中遇到错误:
You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near '''')' at line 2'.
HTML Code:
HTML代码:
<form action="read_message.php" method="post">
<table class="form_table">
<tr>
<td style="font-weight:bold;">Subject:</td>
<td><input style=" width:300px" name="form_subject"/></td>
<td></td>
</tr>
<tr>
<td style="font-weight:bold;">Message:</td>
<td id="myWordCount"> (300 words left)</td>
<td></td>
</tr>
<tr>
<td><input type="hidden" name="sender_id" value="<?php echo $sender_id?>"></td>
<td><textarea cols="50" rows="4" name="form_message"></textarea></td>
<td valign="bottom"><input type="submit" name="submit_message" value="send"></td>
</tr>
</table>
</form>
Code to insert into a mysql table:
插入mysql表的代码:
<?php
include_once"connect_to_mysql.php";
//submit new message
if($_POST['submit_message']){
if($_POST['form_subject']==""){
$submit_subject="(no subject)";
}else{
$submit_subject=$_POST['form_subject'];
}
$submit_message=$_POST['form_message'];
$sender_id = $_POST['sender_id'];
if($shortMessagesLeft<1){
$form_error_message='You have left with '.$shortMessagesLeft.' Short Message. Please purchase it from the <a href="membership.php?id='.$id.'">shop</a>.';
}
else if($submit_message==""){
$form_error_message = 'Please fill in the message before sending.';
}
else{
$message_left = $shortMessagesLeft-1;
$update_short_message = mysql_query("UPDATE message_count SET short_message = '$message_left' WHERE user_id = '$id'");
$sql = mysql_query("INSERT INTO private_messages (to_id, from_id, time_sent, subject, message)
VALUES('$sender_id', '$id', now(),'$submit_subject','$submit_message')") or die (mysql_error());
}
}
?>
What does the error mean and what am I doing wrong?
错误是什么意思,我做错了什么?
回答by Code Magician
There is a single quote in $submitsubjector $submit_message
在$submitsubjector 中有一个单引号$submit_message
Why is this a problem?
为什么这是个问题?
The single quote char terminates the string in MySQL and everything past that is treated as a sql command. You REALLYdon't want to write your sql like that. At best, your application will break intermittently (as you're observing) and at worst, you have just introduced a huge security vulnerability.
单引号字符终止 MySQL 中的字符串以及所有过去被视为 sql 命令的内容。你真的不想那样写你的sql。最好的情况是,您的应用程序会间歇性地中断(正如您所观察到的),而最坏的情况是,您刚刚引入了一个巨大的安全漏洞。
Imagine if someone submitted '); DROP TABLE private_messages;in submit message.
想象一下,如果有人'); DROP TABLE private_messages;在提交消息中提交。
Your SQL Command would be:
您的 SQL 命令将是:
INSERT INTO private_messages (to_id, from_id, time_sent, subject, message)
VALUES('sender_id', 'id', now(),'subjet','');
DROP TABLE private_messages;
Instead you need to properly sanitize your values.
相反,您需要正确净化您的价值观。
AT A MINIMUM you must run each value through mysql_real_escape_string()but you should really be using prepared statements.
在最低限度,您必须运行每个值,mysql_real_escape_string()但您确实应该使用准备好的语句。
If you were using mysql_real_escape_string()your code would look like this:
如果您使用mysql_real_escape_string()的是代码,则如下所示:
if($_POST['submit_message']){
if($_POST['form_subject']==""){
$submit_subject="(no subject)";
}else{
$submit_subject=mysql_real_escape_string($_POST['form_subject']);
}
$submit_message=mysql_real_escape_string($_POST['form_message']);
$sender_id = mysql_real_escape_string($_POST['sender_id']);
Here is a great articleon prepared statements and PDO.
回答by Edgar Villegas Alvarado
That's called SQL INJECTION. The 'tries to open/close a string in your mysql query. You should always escape any string that gets into your queries.
这就是所谓的 SQL 注入。在'你的MySQL查询试图打开/关闭的字符串。您应该始终对进入查询的任何字符串进行转义。
for example,
例如,
instead of this:
而不是这个:
"VALUES ('$sender_id') "
do this:
做这个:
"VALUES ('". mysql_real_escape_string($sender_id) ."') "
(or equivalent, of course)
(或等价物,当然)
However, it's better to automate this, using PDO, named parameters, prepared statements or many other ways. Research about this and SQL Injection (hereyou have some techniques).
但是,最好使用 PDO、命名参数、准备好的语句或许多其他方式自动执行此操作。研究这个和 SQL 注入(这里有一些技术)。
Hope it helps. Cheers
希望能帮助到你。干杯
回答by Vivek Sharma
Please make sure you have downloaded the sqldump fully, this problem is very common when we try to import half/incomplete downloaded sqldump. Please check size of your sqldump file.
请确保您已完整下载 sqldump,当我们尝试导入一半/不完整下载的 sqldump 时,此问题很常见。请检查您的 sqldump 文件的大小。
回答by Shobs
I was getting the same error when I used this code to update the record:
当我使用此代码更新记录时,我遇到了同样的错误:
@mysqli_query($dbc,$query or die()))
After removing or die, it started working properly.
删除后or die,它开始正常工作。
回答by Elharony
I had this problem before, and the reason is very simple: Check your variables, if there were strings, so put it in quotes '$your_string_variable_here' ,, if it were numerical keep it without any quotes. for example, if I had these data: $name ( It will be string ) $phone_number ( It will be numerical ) So, it will be like that:
我以前遇到过这个问题,原因很简单:检查你的变量,如果有字符串,那么把它放在引号 '$your_string_variable_here' 中,如果它是数字,则不带任何引号。例如,如果我有这些数据: $name (它将是字符串) $phone_number (它将是数字) 所以,它会是这样的:
$query = "INSERT INTO users(name, phone) VALUES ('$name', $phone)";
Just like that and it will be fixed ^_^
$query = "INSERT INTO users( name, phone) VALUES ('$name', $phone)"; 就这样,它会被修复^_^
