问题描述
我在MySQL中遇到错误:
I am getting an Error in MySQL:
You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near '''')' at line 2'.
HTML代码:
<form action="read_message.php" method="post">
<table class="form_table">
<tr>
<td style="font-weight:bold;">Subject:</td>
<td><input style=" width:300px" name="form_subject"/></td>
<td></td>
</tr>
<tr>
<td style="font-weight:bold;">Message:</td>
<td id="myWordCount"> (300 words left)</td>
<td></td>
</tr>
<tr>
<td><input type="hidden" name="sender_id" value="<?php echo $sender_id?>"></td>
<td><textarea cols="50" rows="4" name="form_message"></textarea></td>
<td valign="bottom"><input type="submit" name="submit_message" value="send"></td>
</tr>
</table>
</form>
要插入到mysql表中的代码:
Code to insert into a mysql table:
<?php
include_once"connect_to_mysql.php";
//submit new message
if($_POST['submit_message']){
if($_POST['form_subject']==""){
$submit_subject="(no subject)";
}else{
$submit_subject=$_POST['form_subject'];
}
$submit_message=$_POST['form_message'];
$sender_id = $_POST['sender_id'];
if($shortMessagesLeft<1){
$form_error_message='You have left with '.$shortMessagesLeft.' Short Message. Please purchase it from the <a href="membership.php?id='.$id.'">shop</a>.';
}
else if($submit_message==""){
$form_error_message = 'Please fill in the message before sending.';
}
else{
$message_left = $shortMessagesLeft-1;
$update_short_message = mysql_query("UPDATE message_count SET short_message = '$message_left' WHERE user_id = '$id'");
$sql = mysql_query("INSERT INTO private_messages (to_id, from_id, time_sent, subject, message)
VALUES('$sender_id', '$id', now(),'$submit_subject','$submit_message')") or die (mysql_error());
}
}
?>
错误是什么意思,我在做什么错了?
What does the error mean and what am I doing wrong?
推荐答案
在$submitsubject或$submit_message
为什么这是个问题?
单引号char终止MySQL中的字符串以及所有超过该字符的sql命令.您真的不想这样写您的sql.充其量,您的应用程序将间歇性地中断(如您所观察的那样),而最糟糕的是,您刚刚引入了一个巨大的安全漏洞.
The single quote char terminates the string in MySQL and everything past that is treated as a sql command. You REALLY don't want to write your sql like that. At best, your application will break intermittently (as you're observing) and at worst, you have just introduced a huge security vulnerability.
想象一下,如果有人在提交消息中提交了'); DROP TABLE private_messages;.
Imagine if someone submitted '); DROP TABLE private_messages; in submit message.
您的SQL命令为:
INSERT INTO private_messages (to_id, from_id, time_sent, subject, message)
VALUES('sender_id', 'id', now(),'subjet','');
DROP TABLE private_messages;
相反,您需要适当地清理自己的价值观.
Instead you need to properly sanitize your values.
至少必须通过mysql_real_escape_string()运行每个值,但实际上应该使用准备好的语句.
AT A MINIMUM you must run each value through mysql_real_escape_string() but you should really be using prepared statements.
如果您使用的是mysql_real_escape_string(),则代码将如下所示:
If you were using mysql_real_escape_string() your code would look like this:
if($_POST['submit_message']){
if($_POST['form_subject']==""){
$submit_subject="(no subject)";
}else{
$submit_subject=mysql_real_escape_string($_POST['form_subject']);
}
$submit_message=mysql_real_escape_string($_POST['form_message']);
$sender_id = mysql_real_escape_string($_POST['sender_id']);
这篇关于您的SQL语法有误;请检查与您的MySQL服务器版本相对应的手册,以在&#39;&#39;&#39;&#39;)&#39;中使用正确的语法.在第2行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!