您好我正在尝试将字母数字值mark_inset(ax,axins,loc1=1,loc2=3, fill=True, edgecolor="k", facecolor="lightgrey")
插入表格中的varchar类型列。我通过变量插入但得到1604错误,这是语法不对。这是代码
46e0d48d-bca1-11e7-991f-2c27d70ced1d对于 SET @sql = CONCAT('insert into ', @user_table_name, '
(user, user2, message, mesg_type, date_time, mesg_read_status)
values (',@user_id,',',@user2_id,',',@message,',',@mesg_type,',',@date_time,',',@read_status,')'
);
select @sql;
PREPARE stmt FROM @sql;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
列,我传递的是字母数字值user。
答案 0 :(得分:0)
学习使用参数:
SET @sql = CONCAT('
insert into ', @user_table_name, ' (user, user2, message, mesg_type, date_time, mesg_read_status)
values (?, ?, ?, ?, ?, ?)
');
PREPARE stmt FROM @sql;
EXECUTE stmt USING @user_id, @user2_id, @message, @mesg_type, @date_time, @read_status;
DEALLOCATE PREPARE stmt;
不要使用参数值来查询字符串。这使得代码更难调试,容易出错,更难以阅读,并为SQL注入打开了另一条攻击线。
答案 1 :(得分:0)
SET @sql = CONCAT('insert into ', @user_table_name, '
(user, user2, message, mesg_type, date_time, mesg_read_status)
values (\'',@user_id,'\',',@user2_id,',',@message,',',@mesg_type,',',@date_time,',',@read_status,')'
);
select @sql;
PREPARE stmt FROM @sql;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
此声明应该有效。试一试