获取"您的SQL语法中有错误;检查与MySQL服务器版本对应的手册"

时间:2014-01-20 11:00:05

标签: php mysql sql

有人可以请注意我的编码,找出我为什么会这样做:

  

错误:您的SQL语法出错;检查与MySQL服务器版本对应的手册,以便在第1行的''附近使用正确的语法

我知道这将是非常简单的事情,但我看不到它。 

<body>
<?php
//connect to database//
$dbc = mysql_connect("localhost", "root", "***");
if (!$dbc)
die ('Could not connect: ' . mysql_error());

//select database//
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());

// initialise variables to store form control values
$Name = "";
$Address = "";
$Phone = "";
$Mobile = "";
$Email = "";


if($_SERVER['REQUEST_METHOD'] == "POST") // if form has been posted
{  
// initialise variables to store posted values
$ContactID = $_POST["ContactID"];
$Name = $_POST["Name"];
$Address = $_POST["Address"];
$Phone = $_POST["Phone"];
$Mobile = $_POST["Mobile"];
$Email = $_POST["Email"];

//build sql insert statement
$qry = "UPDATE contacts SET Name = '" . $Name . "', Address = '" . $Address . "', Phone = '" . $Phone . "', Mobile = '" . $Mobile . "', Email = '" . $Email . "' WHERE ContactID =" . $ContactID;

// run insert statement against database
$rst = mysql_query($qry, $dbc);

if ($rst)
{
    echo "<b><font color='green'>The contact has been updated.</font></b>";
    echo "</br></br>";
    echo "<a href=list-contacts.php>Continue</a>"; 
}

else 

{
    echo "<b><font color='red'>Error: ". mysql_error($dbc) . "</font></b>"; //alert if contact could not be added//
}

}


else // if form has not been posted
{
// build sql statement
$qry = "SELECT * FROM contacts WHERE ContactID = " . $_GET["ContactID"];


// run select statement
$rst = mysql_query($qry, $dbc);

if ($rst)
{
    $row = mysql_fetch_assoc($rst); // fetch row and place column values into respective place holder variable 

    $Name = $row["Name"];
    $Address = $row["Address"];
    $Phone = $row["Phone"];
    $Mobile = $row["Mobile"];
    $Email = $row["Email"];
}

else // in case of an error
{
    echo "<b><font color='red'>Error: ". mysql_error($dbc) . "</font></b>"; 
} // end of nested else statement ?>

<form name="editcontact" method="post" action="edit-contact.php"> 
<table border="1" cellpadding="2">
<caption> Caption 5</caption>

<!--Name Input-->
<tr>
<td><label for="Name">Name</label></td>
<td><input type="text" name="Name" value="<?php echo $Name ?>" size="30" maxlength="50" tabindex="1"/>
</td>
</tr>

<!-- Address Input-->
<tr>
<td><label for="Address">Address</label></td>
<td><textarea name="Address" cols="45" rows="5" tabindex="2"><?php echo $Address?></textarea></td>
</tr>

<!--Phone Input-->
<tr>
<td><label for="Phone">Phone</label></td>
<td><input type="text" name="Phone" value="<?php echo $Phone ?>" size="20" maxlength="20" tabindex="3" /> </td>
</tr>

<!--Mobile Input-->
<tr>
<td><label for="Mobile">Mobile</label></td>
<td><input type="text" name="Mobile" value="<?php echo $Mobile ?>" size="20" maxlength="20" tabindex="4" /> </td>
</tr>

<!--Email Input-->
<tr>
<td><label for="Email">Email</label></td>
<td><input type="text" name="Email" value="<?php echo $Email ?>" size="30" maxlength="50" tabindex="5" /></td>
</tr>

<!--Submit Button-->
<tr>
<td colspan="2" align="center"><input type="submit" name="Submit" value="Submit" tabindex="6"/>      
</td>
</tr>

</table>
</form>



<?php
} // end of main else statement

mysql_free_result($rst); //free memory//

?>

</body>
</html>`

3 个答案:

答案 0 :(得分:1)

$_POST["ContactID"]返回null,这就是你得到错误的原因 将ContactID发送到服务器:

<input type="hidden" name="ContactID" value="<?php echo $_GET["ContactID"]; ?>" />

您的代码存在七个问题:

  1. 请勿使用mysql_*功能。他们已经过时了。使用mysqli_*PDO
  2. 始终检查用户发送的数据,或者用户可能会删除您的数据库。
  3. 请勿使用<b><font>标记。这是2014年。使用HTML5和CSS3。
  4. 使用htmlspecialchars(),或者用户可以攻击您的网站(XSS
  5. 如果您使用标签,则需要设置输入的ID。
  6. 不要使用表格来构建网站。使用浮动的div。

    7. 此代码效果很好:

     <?php
try
{
    $db = new PDO("mysql:dbname=tafe;host=localhost", "root", "***");
}
catch (PDOException $e)
{
    die("Cannot connect to database.");
}
function post($name)
{
    return isset($_POST[$name]) ? $_POST[$name] : "";
}
function html($x)
{
    return htmlentities($x, ENT_QUOTES, "UTF-8");
}
if (post("id"))
{  
    $query = $db->prepare("UPDATE contacts SET Name = :name, Address = :address, Phone = :phone, Mobile = :mobile, Email = :email WHERE ContactID = :id");
    $query->bindParam(":name", post("name"));
    $query->bindParam(":address", post("address"));
    $query->bindParam(":phone", post("phone"));
    $query->bindParam(":mobile", post("mobile"));
    $query->bindParam(":email", post("email"));
    $query->bindParam(":id", post("id"));
    if ($query->execute())
        $message = '<span style="color: green; font-weight: bold;">The contact has been updated.</span><br /><a href="list-contacts.php">Continue</a>';
    else
        $message =  '<span style="color: red; font-weight: bold;">There was an error.</span>';
}
elseif (isset($_GET["ContactID"]))
{
    $query = $db->prepare("SELECT Name, Address, Phone, Mobile, Email FROM contacts WHERE ContactID = :id");
    $query->bindParam(":id", $_GET["ContactID"]);
    if ($query->execute())
    {
        if (!$query->rowCount())
            $message = '<span style="color: red; font-weight: bold;">This contact does not exists.</span>';
        else
        {
            $row = $query->fetch(PDO::FETCH_ASSOC);
            foreach ($row as $k => $v)
                $_POST[$k] = $v;
        }
    }
    else
        $message = '<span style="color: red; font-weight: bold;">There was an error.</span>';
?>
<!DOCTYPE html>
<html>
    <head>
        <title>Contact</title>
        <meta charset="utf-8" />
    </head>
    <body>
        <?php
        if (isset($message))
            echo "<p>".$message."</p>";
        ?>
        <form action="edit-contact.php" method="post"> 
            <label for="name">Name:</label><br />
            <input type="text" name="name" id="name" value="<?php echo html(post("name")) ?>" /><br />
            <label for="address">Address:</label><br />
            <textarea name="address" id="address"><?php echo html(post("address")) ?></textarea><br />
            <label for="phone">Phone:</label><br />
            <input type="text" name="phone" id="phone" value="<?php echo html(post("phone")) ?>" /><br />
            <label for="mobile">Mobile:</label><br />
            <input type="text" name="mobile" id="mobile" value="<?php echo html(post("mobile")) ?>" /><br />
            <label for="email">Email:</label><br />
            <input type="text" name="email" id="email" value="<?php echo html(post("email")) ?>" /><br />
            <input type="submit" name="submit" value="Submit" />      
            <input type="hidden" name="id" value="<?php echo isset($_GET["ContactId"]) ? intval($_GET["ContactId"]) : "0" ?>" />
        </form>
    </body>
</html>

答案 1 :(得分:0)

试试这个

$qry = "UPDATE contacts SET 
                Name = '" . mysql_real_escape_string($Name) . "', 
                Address = '" . mysql_real_escape_string($Address) . "', 
                Phone = '" . mysql_real_escape_string($Phone) . "', 
                Mobile = '" . mysql_real_escape_string($Mobile) . "', 
                Email = '" . mysql_real_escape_string($Email) . "' 
                WHERE ContactID =" . $ContactID;

确保您的html表单中有一个名为“ContactID”的隐藏文本框或文本框 由于您在查询中使用它,我在表单中看不到。

$ContactID = $_POST["ContactID"];

注意:您正在使用不推荐使用的mysql_ *函数,开始使用mysqli_ *函数或PDO

答案 2 :(得分:0)

试试这个

 $qry = "UPDATE contacts 
         SET Name = '" . $Name . "', 
             Address = '" . $Address . "', 
             Phone = '" . $Phone . "', 
             Mobile = '" . $Mobile . "', 
             Email = '" . $Email . "' 
         WHERE ContactID = '" . $ContactID . "' " ;

并更改为该查询

  $qry = "SELECT * FROM contacts WHERE ContactID = '" . $_GET['ContactID']."' " ;

nB:

1-您应该通过mysql_real_escape_string()

转义变量

2-你应该使用PDO或MYSQLI代替MYSQL

相关问题
最新问题