我在更新SQL查询时收到此错误。
错误在这一行:
$update_sql = "UPDATE table SET `column1` = IF(LENGTH('$_POST['column1']')=0, column1, '$_POST['column1']'), `column2` = '".$_POST['column2']."' WHERE name='".$_POST['movie_name']."';";
错误是:
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING
我的代码出了什么问题?
答案 0 :(得分:2)
错误的字符串连接。
$update_sql = "UPDATE movies SET `nowvideo` = IF(LENGTH('" . $_POST['nowvideo'] . "')=0, nowvideo, '" . $_POST['nowvideo'] . "'), `nowvideohd` = '".$_POST['nowvideohd']."' WHERE name='".$_POST['movie_name']."';";
作为旁注,您的查询非常不安全。您将数据直接从表单放入查询中。阅读SQL注入&清理您的查询。
如果您计划保护查询,我也会阅读PDO。
答案 1 :(得分:1)
您应该将POST变量保存到变量中,执行检查并清理以避免SQL注入
//Safe get the variables
$nowVideo = filter_input(INPUT_POST, 'nowVideo');
$nowVideoHd = filter_input(INPUT_POST, 'nowvideohd');
$movieName = filter_input(INPUT_POST, 'movie_name');
if (!empty($movieName)) {
//Avoid sql injection
$nowVideo = mysqli_real_escape_string($connectionLink, $nowVideo);
$nowVideoHd = mysqli_real_escape_string($connectionLink, $nowVideo);
$movieName = mysqli_real_escape_string($connectionLink, $movieName);
$update_sql = 'UPDATE movies SET nowvideo = ' . (empty($nowVideo) ? 'nowvideo' : "'$nowVideo'") . ', nowvideohd = ' . $nowVideoHd . " WHERE name = '$movieName'";
}
else {
//Show error
}
如果nowVideoHd变量为空,则应为 nowVideoHd 设置默认值。您应该将其设置为$ nowVideo var或默认值。
答案 2 :(得分:0)
所有$ _POST ['columnx']应为“。$ _ POST ['columnx']。”