SQL错误检索数据

时间:2012-12-22 20:32:39

标签: php mysql sql

无论我改变什么,我都会继续运行此代码并得到相同的错误。

require('common.php');
$charname = $_SESSION['user']['username'];
$query = "SELECT group, guild, username, class, level 
      FROM DD_users 
      WHERE username = '".$charname."'";
try
{
// These two statements run the query against your database table.
$stmt = $db->prepare($query);
$stmt->execute();
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code. 
die("Failed to run query: " . $ex->getMessage());
}

// Finally, we can retrieve all of the found rows into an array using fetchAll
$rows = $stmt->fetchAll();

//print_r($rows);
$group = $rows['0']['adminaccess'];
$guild = $rows['0']['guild'];
$username = $rows['0']['username'];
$class = $rows['0']['class'];
$level = $rows['0']['level'];

它返回此错误
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'group, guild, username, class, level FROM DD_users ' at line 1 显然我需要更多的文字来编辑这个......

4 个答案:

答案 0 :(得分:5)

你忘记了'字符:

$query = "SELECT group, guild, username, class, level 
          FROM DD_users 
          WHERE username = '".$charname."'";

答案 1 :(得分:4)

试试这个:

$query = "SELECT group, guild, username, class, level FROM DD_users WHERE username = '".$charname."'";

请注意其他引号'。如果查询字符串,则需要它们。

另外:group可能是保留关键字。你需要用`-style引号或.brackets [来逃避它。试试哪个有用

答案 2 :(得分:3)

注意group关键字是保留的,请尝试将其封闭在反引号中

答案 3 :(得分:1)

以下内容可以帮助您节省单引号的麻烦 - 但更重要的是它还可以防范SQL注入攻击。您从不想要获取输入并将其直接推送到SQL查询字符串中。可怕的事情可能会发生。

请注意查询字符串中的?标记,以及通过$charname调用传递?值以替换execute(array($charname))。以这种方式执行操作将使底层库代码安全地将$ charname引用到查询中。

require('common.php');
$charname = $_SESSION['user']['username'];
$query = "SELECT `group`, guild, username, class, level 
          FROM DD_users 
          WHERE username = ?";
try
{
    // These two statements run the query against your database table.
    $stmt = $db->prepare($query);
    $stmt->execute(array($charname));
}
catch(PDOException $ex)
{
    // Note: On a production website, you should not output $ex->getMessage().
    // It may provide an attacker with helpful information about your code. 
    die("Failed to run query: " . $ex->getMessage());
}

// Finally, we can retrieve all of the found rows into an array using fetchAll
$rows = $stmt->fetchAll();

print_r($rows);
相关问题
最新问题