mysql不喜欢我的陈述

时间:2012-05-22 00:10:24

标签: php mysql

我正在尝试从我的数据库中的关系表中调用书籍详细信息,mysql在代码语法中引发了错误。上一页是

  <html>
    <head>
    <title>Retrieve Relationships</title>
    </head>
    <body>

    <dl>

    <?php
    // Connect to database server
    mysql_connect("localhost","","") or die (mysql_error ());

    // Select database
    mysql_select_db("test") or die(mysql_error());

    // Get data from the database depending on the value of the id in the URL
    $title = (isset($_GET['title']) && is_string($_GET['title'])) ? $_GET['title'] : null;
$sTitle = mysql_real_escape_string($title);
$strSQL = "SELECT relationships.bookone, relationships.booktwo, relationships.relationship
FROM relationships, books
WHERE books.bookid=relationships.bookone AND relationships.bookone='{$sTitle}'";
     $rs = mysql_query($strSQL)
    // Loop the recordset $rs

    while($row = mysql_fetch_array($rs)){

        // Write the data of the person
        echo "<dt>Book One:</dt><dd>" . $row["bookone"] . "</dd>";
        echo "<dt>Book Two:</dt><dd>" . $row["booktwo"] . "</dd>";
        echo "<dt>Relationship:</dt><dd>" . $row["relationship"] . "</dd>";
        echo "<dt>Likes:</dt><dd>" . $row["relationshiplikes"] . "</dd>";
        echo "<dt>Dislikes:</dt><dd>" . $row["relationshipdislikes"] . "</dd>";

    }

    // Close the database connection
    mysql_close();
    ?>

    </dl>
    <p><a href="search.php">Return to the list</a></p>

    </body>

    </html>

我试图让页面显示的是bookone的代码和booktwo的代码,其中bookones id = booksid

任何帮助将不胜感激

2 个答案:

答案 0 :(得分:2)

应该是:

$strSQL = "SELECT relationships.bookone, relationships.booktwo, relationships.relationship
FROM relationships, books
WHERE books.bookid=relationships.bookone AND relationships.bookone='{$_GET['bookone']}'";

虽然真的,但应该是:

$title = (isset($_GET['title']) && is_string($_GET['title'])) ? $_GET['title'] : null;
$sTitle = mysql_real_escape_string($title);
$strSQL = "SELECT relationships.bookone, relationships.booktwo, relationships.relationship
FROM relationships, books
WHERE books.bookid=relationships.bookone AND relationships.bookone='{$sTitle}'";

SQL injection相当糟糕:)。

(更不用说如果用户在标题中搜索带有撇号的书,它也会无害地破坏。)

答案 1 :(得分:0)

您似乎不需要此表的连接。你实际上根本没有使用书籍表。看起来你只需要:

SELECT r.bookone, r.booktwo, r.relationship FROM relationships AS r WHERE r.bookone='{$sTitle}'

但稍后您使用的是relationshiplikesrelationshipdislikes列,而您尚未使用此查询。所以也许你真正想要的是:

SELECT r.* FROM relationships AS r WHERE r.bookone='{$sTitle}'