我收到以下错误消息,显然我的代码语法有问题,但我不确定它是什么。如果我将$ data更改为像“pie”这样的简单数据,它将会更新。似乎是序列化字符串的错误?
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' . DB_PFIX . 'settings SET setting_options = 'a:12:{s:13:"website_title"' at line 2
代码:
<?php
if( !empty( $_POST['submit'] ) ) {
$data = serialize( array(
'website_title' => $_POST['website_title'],
'website_slogan' => $_POST['website_slogan'],
'website_theme' => $_POST['website_theme'],
'website_homepage' => $_POST['website_homepage'],
'website_description' => $_POST['website_description'],
'website_keywords' => $_POST['website_keywords'],
'website_language' => $_POST['website_language'],
'website_timezone' => $_POST['website_timezone'],
'website_date_format' => $_POST['website_date_format'],
'website_time_format' => $_POST['website_time_format'],
'website_url' => $option['website_url'],
'website_path' => $option['website_path']
));
$query = '
UPDATE
' . DB_PFIX . 'settings
SET
setting_options = "' . $data . '"
WHERE
setting_name = "' . $setting_name . '"
';
$result = mysqli_query( $db_connect, $query );
if ( mysqli_affected_rows( $db_connect ) == 1 ) {
echo "GOOD!";
} else {
echo mysqli_error( $db_connect );
}
}
?>
答案 0 :(得分:2)
如果没有转义,您不能将序列化字符串放入数据库。逃避您的数据或使用准备好的陈述。
快速修复:
$data = mysqli_real_escape_string($data);
真正修复:使用prepared statements。
答案 1 :(得分:0)
不知何故,查询字符串未被正确解释。常量表达式DB_PFIX不应该通过其名称可见,而应通过其在语句中的值来显示!只需在页面上回显变量$query即可仔细检查。
答案 2 :(得分:0)
如何添加mysqli_real_escape_string:
mysqli_real_escape_string($data)
mysqli_real_escape_string($settings_name);