mysqli_real_escape_string创建SQL语法错误

时间:2014-04-05 19:56:29

标签: php mysql sql syntax

我正在编写一个脚本来更新数据库,当我需要更改页面上的信息时,如果文本中没有特殊字符(例如'或'),脚本工作正常,如果有任何特殊字符我得到一个错误,比如这个

  

您的SQL语法有错误;检查与您的MySQL服务器版本相对应的手册,以便在“愤怒”歌曲附近使用正确的语法,音乐会激发周围的角色变得更具侵略性。如'第1行

我希望能帮助看看我在这个剧本中可能错过的内容,感谢您提前花时间。

选择要更新的数据的初始页

<?php
    include('../connect/connect-mysql.php');

$sql="SELECT * FROM table Order by Appeared asc";
$result=mysql_query($sql);
?>
<h4>Update/Edit Tool</h4>

<table width="400" border="0" cellspacing="1" cellpadding="0">
<tr>
<td>
<table width="400" border="1" cellspacing="0" cellpadding="3">
<tr>
<th align="center"><font face="Verdana" size="1">Update</font></th>
<th align="center"><font face="Verdana" size="1">Power</font></th>
<th align="center"><font face="Verdana" size="1">Power2</font></th>
<th align="center"><font face="Verdana" size="1">Power3</font></th>
<th align="center"><font face="Verdana" size="1">Power4</font></th>
</tr>

<?php
while($rows=mysql_fetch_array($result)){
?>

<tr>
<td align="center"><font face="Verdana" size="1"><a href="p_update.php?id=<? echo $rows['IDNumber']; ?>">update</a></font></td>
<td><font face="Verdana" size="1"><div style="height:20px; width:160px; overflow:hidden"><? echo $rows['Power']; ?></div></font></td>
<td><font face="Verdana" size="1"><div style="height:20px; width:160px; overflow:hidden"><? echo $rows['Power2']; ?></div></font></td>
<td><font face="Verdana" size="1"><div style="height:20px; width:160px; overflow:hidden"><? echo $rows['Power3']; ?></div></font></td>
<td><font face="Verdana" size="1"><div style="height:20px; width:160px; overflow:hidden"><? echo $rows['Power4']; ?></div></font></td>
</tr>

<?php
}
?>

</table>

编辑页面(p_update.php):        

$id=$_GET['id'];

$sql="SELECT * FROM table WHERE IDNumber='$id'";
$result=mysql_query($sql) or die(mysql_error());

$rows=mysql_fetch_array($result);
?>
<body>
<h1>Update Data</h1>
<form name="form1" method="post" action="p_update_ac.php">
<fieldset>
    <legend>Update Data</legend>
    <table border="1" width="100%" style="border-collapse: collapse">
    <tr><th><font face="Verdana" size="1"><label>Database ID: </label></font></th><td><font size="1" face="Verdana"><input name="IDNumber" type="text" id="IDNumber" value="<?php echo $rows['IDNumber']; ?>" size="10"><b>DO NOT CHANGE THIS FIELD</b></font></td></tr>
    <tr><th><font face="Verdana" size="1"><label>Power Category: </label></font></th><td><font size="1" face="Verdana"><input name="Powcategory" type="text" id="Powcategory" value="<?php echo $rows['Powcategory']; ?>" size="50"></font></td></tr>
    <tr><th><font face="Verdana" size="1"><label>Power: </label></font></th><td><font size="1" face="Verdana"><input name="Power" type="text" id="Power" value="<?php echo $rows['Power']; ?>" size="150"></font></td></tr>
    <tr><th><font face="Verdana" size="1"><label>Power 2: </label></font></th><td><font size="1" face="Verdana"><input name="Power2" type="text" id="Power2" value="<?php echo $rows['Power2']; ?>" size="150"></font></td></tr>
    <tr><th><font face="Verdana" size="1"><label>Power 3: </label></font></th><td><font size="1" face="Verdana"><input name="Power3" type="text" id="Power3" value="<?php echo $rows['Power3']; ?>" size="150"></font></td></tr>
    <tr><th><font face="Verdana" size="1"><label>Power 4: </label></font></th><td><font size="1" face="Verdana"><input name="Power4" type="text" id="Power4" value="<?php echo $rows['Power4']; ?>" size="150"></font></td></tr>
    </table>
</fieldset>
<br>
<input name="id" type="hidden" id="id" value="<?php echo $rows['id']; ?>"><input type="submit" name="Submit" value="Update Record">
</form>
<?php
// close connection
mysql_close();
?>

以下代码p_update_ac.phpp_update.php脚本调用以便运行。

<?php
include('../connect/connect-mysql.php');

$IDNumber = mysqli_real_escape_string($dbcon, $_POST['IDNumber']);
$Power = mysqli_real_escape_string($dbcon, $_POST['Power']);
$Power2 = mysqli_real_escape_string($dbcon, $_POST['Power2']);
$Power3 = mysqli_real_escape_string($dbcon, $_POST['Power3']);
$Power4 = mysqli_real_escape_string($dbcon, $_POST['Power4']);

$sql="UPDATE table SET Power='$Power',Power2='$Power2',Power3='$Power3',Power4='$Power4' WHERE IDNumber='$IDNumber'";
$result=mysql_query($sql) or die(mysql_error());

if($result){
echo "Successful";
echo "<p>";
echo "<a href='p_list_records.php'>View result</a>";

}

else {
echo "ERROR";
}

?>

2 个答案:

答案 0 :(得分:1)

您的UPDATE代码无效,因为您混合了两种不同的API,并且它们不会混合在一起。

我认为API是mysqli_*mysql_*函数。

我的印象是您的数据库连接实际上是mysql_*,因为否则您不会收到错误消息,所以我在下面包含两个版本,以防万一(参见脚注):

旁注:您应该将mysqli_*函数与预准备语句或PDO一起使用。

如果mysql

,请使用以下内容 
<?php
include('../connect/connect-mysql.php');

$IDNumber = mysql_real_escape_string($_POST['IDNumber']);
$Power = mysql_real_escape_string($_POST['Power']);
$Power2 = mysql_real_escape_string(_POST['Power2']);
$Power3 = mysql_real_escape_string($_POST['Power3']);
$Power4 = mysql_real_escape_string($_POST['Power4']);

$sql="UPDATE table SET Power='$Power',Power2='$Power2',Power3='$Power3',Power4='$Power4' WHERE IDNumber='$IDNumber'";
$result=mysql_query($sql,$dbcon) or die(mysql_error());

if($result){
echo "Successful";
echo "<p>";
echo "<a href='p_list_records.php'>View result</a>";

}

else {
echo "ERROR";
}

?>

如果mysqli

,请使用以下内容 
<?php
include('../connect/connect-mysql.php');

$IDNumber = mysqli_real_escape_string($dbcon, $_POST['IDNumber']);
$Power = mysqli_real_escape_string($dbcon, $_POST['Power']);
$Power2 = mysqli_real_escape_string($dbcon, $_POST['Power2']);
$Power3 = mysqli_real_escape_string($dbcon, $_POST['Power3']);
$Power4 = mysqli_real_escape_string($dbcon, $_POST['Power4']);

$sql="UPDATE table SET Power='$Power',Power2='$Power2',Power3='$Power3',Power4='$Power4' WHERE IDNumber='$IDNumber'";
$result=mysqli_query($dbcon,$sql) or die(mysqli_error());

if($result){
echo "Successful";
echo "<p>";
echo "<a href='p_list_records.php'>View result</a>";

}

else {
echo "ERROR";
}

?>

要切换到mysqli_*连接,请将xxx替换为您的数据库凭据。

DEFINE ('DB_USER', 'xxx');
DEFINE ('DB_PASSWORD', 'xxx');
DEFINE ('DB_HOST', 'xxx');
DEFINE ('DB_NAME', 'xxx');

$dbcon = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) 
OR die("could not connect");

<强>脚注:

mysql_*函数弃用通知:

http://www.php.net/manual/en/intro.mysql.php

从PHP 5.5.0开始,不推荐使用此扩展,不建议用于编写新代码,因为将来会删除它。相反,应使用mysqliPDO_MySQL扩展名。在选择MySQL API时,另请参阅MySQL API Overview以获得进一步的帮助。

这些功能允许您访问MySQL数据库服务器。有关MySQL的更多信息,请访问»http://www.mysql.com/

可以在»http://dev.mysql.com/doc/找到MySQL的文档。

答案 1 :(得分:0)

如果您使用PHP的原始MySQL-API,则应使用mysql_real_escape_string()代替。

$IDNumber = mysqli_real_escape_string($dbcon, $_POST['IDNumber']);

// ...

$result=mysql_query($sql) or die(mysql_error());
相关问题
最新问题