我正在学习PHP所以我在PHP中练习SQL和CRUD但是我似乎有问题,但我没有看到有什么问题。有两个文件:
databases.php
<?php
// 1. Create a database connection
$dbhost = "localhost";
$dbuser = "root";
$dbpass = "root";
$dbname = "widget_corp";
$connection = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
// Test if connection occured
if(mysqli_connect_errno()) {
die("Database connection failed: " .
mysqli_connect_error() .
" (" . mysqli_connect_errno() . ")"
);
}
?>
<?php
// Perform database query
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE visible = 1 ";
$query .= "ORDER BY position ASC";
$result = mysqli_query($connection, $query);
// Test if there was a query error
if (!$result) {
die("Database query failed.");
}
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<title>Databases</title>
<body>
<ul>
<?php
// 3. Use returned data (if any)
while($subject = mysqli_fetch_assoc($result)) {
// Output data from each row
?>
<li><?php echo $subject["menu_name"] . " (" .$subject["id"] . ")"; ?></li>
<?php
}
?>
</ul>
<?php
// 4. Release returned data
mysqli_free_result($result);
?>
</body>
<?php
// Close database connection
mysqli_close($connection);
?>
和databases_update.php
<?php
// 1. Create a database connection
$dbhost = "localhost";
$dbuser = "root";
$dbpass = "root";
$dbname = "widget_corp";
$connection = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
// Test if connection occured
if(mysqli_connect_errno()) {
die("Database connection failed: " .
mysqli_connect_error() .
" (" . mysqli_connect_errno() . ")"
);
}
?>
<?php
// Often these are form values in $_POST
$id = 5;
$menu_name = "Delete me";
$position = 4;
$visible = 1;
// 2. Perform database query
$query = "UPDATE subjects SET ";
$query .= "menu_name = '{$menu_name}', ";
$query .= "position = {$position}, ";
$query .= "visible = {$visible}, ";
$query .= "WHERE id = {$id}";
$result = mysqli_query($connection, $query);
// Test if there was a query error
if ($result) {
// Success
// redirect_to("somepage.php");
echo "Success!";
} else {
// Failure
// message = "Subject creation failed";
die("Database query failed. " . mysqli_error($connection));
}
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<title>Databases</title>
<body>
</body>
<?php
// Close database connection
mysqli_close($connection);
?>
我收到的错误是当我转到localhost:8888 / databases_update.php。
这是错误:
Database query failed. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 5' at line 1
造成这种情况的原因是什么?
答案 0 :(得分:2)
$query .= "visible = {$visible}, ";
$query .= "WHERE id = {$id}";
是“WHERE”关键字前面有逗号的问题。
visible = {$visible}, WHERE id = {$id}
答案 1 :(得分:1)
Wallyk的回答是正确的。但是,使用预准备语句会更好(更安全!),因为它们会通过不正确的转义来阻止SQL注入。
您需要做的是使用mysqli_prepare函数(或$ connection-&gt; prepare()),然后将所需参数绑定到查询,然后执行它。像这样:
替换:
$query = "UPDATE subjects SET ";
$query .= "menu_name = '{$menu_name}', ";
$query .= "position = {$position}, ";
$query .= "visible = {$visible}, ";
$query .= "WHERE id = {$id}";
$result = mysqli_query($connection, $query);
使用:
$query = $connection->prepare("UPDATE subjects SET menu_name=?, position=?, visible=? WHERE id=?");
$query->bind_param('siii', $menu_name, $position, $visible, $id); // siii means 1 string, followed by 3 integer values
$result = $query->execute(); // actually run the query