Question

我正在创建一个编辑个人资料页面，登录用户可以在其中编辑个人资料。我现在遇到下面的错误。我该怎么办？

错误：

Database Connection FailedYou have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '= 'test@hotmail.com', Password = 'test', FirstName = 'hello', SecondName = 'world' at line 1

我的代码：

            <?php
            $connection = mysqli_connect('localhost', 'root', '', 'dbrateme');  
            if (!$connection){ 
                die("Database Connection Failed" . mysql_error());
                        header('Location: dcf.php');
            }
            $select_db = mysqli_select_db($connection, 'dbrateme'); 
            if (!$select_db){ 
                die("Database Selection Failed" . mysqli_error());  
            }

            if (isset($_POST['upd'])){ 
                        $course = $_POST['Course'];
                        $email = $_POST['inputEmail'];
                        $password = $_POST['inputPassword'];
                        $FN = $_POST['FirstName'];
                        $SN = $_POST['SecondName']; 

                    $qsql = $_COOKIE['userID'];
                    $qresult = mysqli_query($connection, $qsql);
                    $qcount = mysqli_connect($qresult);
                    $sqli = "UPDATE tblaccounts Email = '".$email."', Password = '".$password."', FirstName = '".$FN."', SecondName = '".$SN."', Course = '".$course."' WHERE Student_ID='".$qsql."'";

                    $result = mysqli_query($connection, $sqli) or die("Database Connection Failed" . mysqli_error($connection));
                    //$count = mysqli_num_rows($result);
                    echo "Profile Update Successful!:";
                    header('Location: profile.php');
            } else { 
                        echo "Profile Update Failed!:";
                        ?><br/><a href ="updatesettigns.php">Go back to the profile update screen.</a><?php
                    }
            ?>

Answer 1

您错过了SQL中设置的关键字。更新语法为UPDATE <table> SET <colum Name> = value

$sqli = "UPDATE tblaccounts SET Email = '".$email."', Password = '".$password."', FirstName = '".$FN."', SecondName = '".$SN."', Course = '".$course."' WHERE Student_ID='".$qsql."'";

了解准备好的状态以防止SQL注入。

永远不要将密码存储为纯文本。使用函数加密它们

Answer 2

问题在于查询，但我的上帝是你对sql注入的严重情况开放。针对第一个问题。

UPDATE tblaccounts Email

将此更改为

UPDATE tblaccounts SET Email

您正在使用的查询容易受到sql注入攻击。你应该尽快解决这个问题。我建议为所有SQL查询使用PDO预处理语句。 http://php.net/manual/en/book.pdo.php

数据库连接失败您的SQL语法有错误;

2 个答案: