mysqli更新查询语法错误

时间:2013-08-07 22:07:51

标签: php mysql mysqli

我收到以下错误消息,显然我的代码语法有问题,但我不确定它是什么。如果我将$ data更改为像“pie”这样的简单数据,它将会更新。似乎是序列化字符串的错误?

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' . DB_PFIX . 'settings SET setting_options = 'a:12:{s:13:"website_title"' at line 2

代码:

<?php

if( !empty( $_POST['submit'] ) ) {
    $data = serialize( array(
        'website_title' => $_POST['website_title'],
        'website_slogan' => $_POST['website_slogan'],
        'website_theme' => $_POST['website_theme'],
        'website_homepage' => $_POST['website_homepage'],
        'website_description' => $_POST['website_description'],
        'website_keywords' => $_POST['website_keywords'],
        'website_language' => $_POST['website_language'],
        'website_timezone' => $_POST['website_timezone'],
        'website_date_format' => $_POST['website_date_format'],
        'website_time_format' => $_POST['website_time_format'],
        'website_url' => $option['website_url'],
        'website_path' => $option['website_path']
    ));

    $query = '
        UPDATE
            ' . DB_PFIX . 'settings
        SET
            setting_options = "' . $data . '"
        WHERE
            setting_name = "' . $setting_name . '"
    ';

    $result = mysqli_query( $db_connect, $query );

    if ( mysqli_affected_rows( $db_connect ) == 1 ) {
        echo "GOOD!";
    } else {
        echo mysqli_error( $db_connect );
    }
}

?>

3 个答案:

答案 0 :(得分:2)

如果没有转义,您不能将序列化字符串放入数据库。逃避您的数据或使用准备好的陈述。

快速修复:

$data = mysqli_real_escape_string($data);

真正修复:使用prepared statements

答案 1 :(得分:0)

不知何故,查询字符串未被正确解释。常量表达式DB_PFIX不应该通过其名称可见,而应通过其在语句中的值来显示!只需在页面上回显变量$query即可仔细检查。

答案 2 :(得分:0)

如何添加mysqli_real_escape_string

mysqli_real_escape_string($data)

mysqli_real_escape_string($settings_name);