我在哪里弄错了?在我的cms中出现MySQL语法错误

时间:2013-09-23 02:52:44

标签: php mysql sql

我正在制作一个简单的cms来管理某个人的网站,虽然当我尝试修改用户帐户的访问级别时,它会给出一个mysql sytax错误: -

'您的SQL语法有错误;检查与MySQL服务器版本对应的手册,以便在第5行'WHERE user_id = 2'附近使用正确的语法

程序有3个级别的用户,1 =用户,2 =主持人,3 =管理员。

这是我的代码:

<?php
require_once 'db.inc.php';
require_once 'cms_http_functions.inc.php';

$db = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD) or
    die ('Unable to connect. Check your connection parameters.');

mysql_select_db(MYSQL_DB, $db) or die(mysql_error($db));

if (isset($_REQUEST['action'])) {

    switch ($_REQUEST['action']) {
    case 'Login':
        $email = (isset($_POST['email'])) ? $_POST['email'] : '';
        $password = (isset($_POST['password'])) ? $_POST['password'] : '';
        $sql = 'SELECT
                user_id, access_level, name
            FROM
                cms_users
            WHERE
                email = "' . mysql_real_escape_string($email, $db) . '" AND
                password = PASSWORD("' . mysql_real_escape_string($password,
                    $db) . '")';
        $result = mysql_query($sql, $db) or die(mysql_error($db));
            if (mysql_num_rows($result) > 0) {
            $row = mysql_fetch_array($result);
            extract($row);
            session_start();
            $_SESSION['user_id'] = $user_id;
            $_SESSION['access_level'] = $access_level;
            $_SESSION['name'] = $name;
        }
        mysql_free_result($result);
        redirect('cms_index.php');
        break;

    case 'Logout':
        session_start();
        session_unset();
        session_destroy();
        redirect('cms_index.php');
        break;

    case 'Create Account':
        $name = (isset($_POST['name'])) ? $_POST['name'] : '';
        $email = (isset($_POST['email'])) ? $_POST['email'] : '';
        $password_1 = (isset($_POST['password_1'])) ? $_POST['password_1'] : '';
        $password_2 = (isset($_POST['password_2'])) ? $_POST['password_2'] : '';
        $password = ($password_1 == $password_2) ? $password_1 : '';
        if (!empty($name) && !empty($email) && !empty($password)) {
            $sql = 'INSERT INTO cms_users
                    (email, password, name)
                VALUES
                ("' . mysql_real_escape_string($email, $db) . '",
                PASSWORD("' . mysql_real_escape_string($password, $db) . '"), 
                "' . mysql_real_escape_string($name, $db) . '")';
            mysql_query($sql, $db) or die(mysql_error($db));

            session_start();
            $_SESSION['user_id'] = mysql_insert_id($db);
            $_SESSION['access_level'] = 1;
            $_SESSION['name'] = $name;
        }
         redirect('cms_index.php');
        break;
    enter code here
    case 'Modify Account':
        $user_id = (isset($_POST['user_id'])) ? $_POST['user_id'] : '';
        $email = (isset($_POST['email'])) ? $_POST['email'] : '';
        $name = (isset($_POST['name'])) ? $_POST['name'] : '';
        $access_level = (isset($_POST['access_level'])) ? $_POST['access_level']
            : '';
        if (!empty($user_id) && !empty($name) && !empty($email) &&
             !empty($access_level) && !empty($user_id)) {
            $sql = 'UPDATE cms_users SET
                    email = "' . mysql_real_escape_string($email, $db) . '",
                    name = "' . mysql_real_escape_string($name, $db) . '",
                    access_level = "' . mysql_real_escape_string($access_level,
                        $db) . '",
                WHERE
                    user_id = ' . $user_id;
            mysql_query($sql, $db) or die(mysql_error($db));
        }
        redirect('cms_admin.php');
        break;

    case 'Send my reminder!':
        $email = (isset($_POST['email'])) ? $_POST['email'] : '';
        if (!empty($email)) {
            $sql = 'SELECT email FROM cms_users WHERE email="' .
                mysql_real_escape_string($email, $db) . '"';
            $result = mysql_query($sql, $db) or die(mysql_error($db));
            if (mysql_num_rows($result) > 0) {
                $password = strtoupper(substr(sha1(time()), rand(0, 32), 8));
                $subject = 'Comic site password reset';
                $body = 'Looks like you forgot your password, eh? No worries. ' . 
                    'We\'ve reset it for you!' . "\n\n";
                $body .= 'Your new password is: ' . $password;
                mail($email, $subject, $body);
            }
            mysql_free_result($result);
        }
        redirect('cms_login.php');
        break;

    case 'Change my info':
        session_start();
        $email = (isset($_POST['email'])) ? $_POST['email'] : '';
        $name = (isset($_POST['name'])) ? $_POST['name'] : '';
        if (!empty($name) && !empty($email) && !empty($_SESSION['user_id']))
        {
            $sql = 'UPDATE cms_users SET
                    email = "' . mysql_real_escape_string($email, $db) . '",
                    name = "' . mysql_real_escape_string($name, $db) . '",
                WHERE
                    user_id = ' . $_SESSION['user_id'];
            mysql_query($sql, $db) or die(mysql_error($db));
        }
        redirect('cms_cpanel.php');
        break;
    default:
        redirect('cms_index.php');
    }
} else {
    redirect('cms_index.php');
}
?>

我似乎无法在代码中找到任何错误。请帮助。

2 个答案:

答案 0 :(得分:1)

在“修改帐户”案例中,您在一行中有一个额外的逗号:

                access_level = "' . mysql_real_escape_string($access_level,
                    $db) . '",
                             ^ here

但我请求你,不要在新代码中使用mysql_函数。它们凌乱,过时,正式弃用。学习PHP的PDO以获取数据库访问权限。一旦你习惯它,你会发现它更容易,更整洁,更安全。

答案 1 :(得分:1)

摘录:

'access_level = "' . mysql_real_escape_string($access_level, $db) . '", WHERE...'

(在一行中更容易看到)在where子句之前有一个逗号。

摆脱它。当您设置另一列而不是在where之前时,可以使用该逗号。

请记住,在90%的情况下,如果您只是在执行之前输出SQL字符串(在调试期间而不是在生产中),则很容易检测到这些问题。

此外,您需要学习如何使用参数化查询,以提高可读性并防止潜在的安全漏洞(SQL注入)。

相关问题
最新问题