我的PDO查询出了什么问题?

时间:2015-06-20 18:13:14

标签: php mysql pdo

好的,所以这是一个麻烦的小PHP脚本,我试图写:

    if (!empty($_POST)) {
    $pdusername = $_POST['username'];
    $pdpassword = $_POST['password'];
    $pdemail = $_POST['email'];
    $crumbs = '
        {"qActive":"","cardColor":8,"storage":"F0004a,F206","closet":"P001,C301c,C415a,C601a,C010a,C303a,C744,BG037,BG101,C401c,GI704,C456b","memberOnly":"","qItems":"","color":"1","coins":1000,"allowFriends":1,"email":"'.$pdemail.'","isEligible":"1","bankCount":"","isEmailValidated":1,"isMember":1,"lastGame":"MG001","isZing":1,"xp":0,"qCount":0,"bank":"","isSafe":"0","gold":0,"bday":"1/1/2000,382","festivalCollection":0,"wearing":"","tickets":0,"xpLevel":0,"lastPlayed":"1/1/2015,383","games":"MG001,MG002,MG003","isMod":0,"mounts":"","backpack":"","level":"1"}
    ';
    $sql = 'INSERT INTO users (username,nickname,email,password,active,parent,ubdate,level,memberexpiry,crumbs,ismod)
    VALUES ("'.$pdusername.'","","'.$pdemail.'","'.$pdpassword.'",1,0,"",1,-1,"'.$crumbs.'",0)';
    $db->query($sql);
}

然而,当我提交表格时,我明白了:

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'qActive":"","cardColor":8,"storage":"F0004a,F206","closet":"P001,C301c,C415a,C60' at line 2' in /var/www/html/register/index.php:35 Stack trace: #0 /var/www/html/register/index.php(35): PDO->query('INSERT INTO use...') #1 {main} thrown in /var/www/html/register/ind

为什么会这样? :/

1 个答案:

答案 0 :(得分:0)

如何构建sql查询esp存在一些问题。在$ crumbs部分周围 - 它没有被标记为MySQL的字符串文字 您的脚本也很容易sql injections 您可以使用prepared statements来解决这些问题。

<?php

if ( isset($_POST['username'], $_POST['email'], $_POST['password']) ) {
    // <-- maybe some other sanity check here? -->
    $stmt = $db->prepare("
        INSERT INTO
            users
            (username,nickname,email,password,active,parent,ubdate,level,memberexpiry,crumbs,ismod)
        VALUES
            (:username,'',:email,:password, 1, 0, '', 1, -1,:crumbs, 0)
    ");

    $stmt->execute( array(
        'username'=> $_POST['username'],
        'email'   => $_POST['email'],
        'password'=> $_POST['password'],
        'crumbs'  => '{"qActive":"","cardColor":8,"storage":"F0004a,F206","closet":"P001,C301c,C415a,C601a,C010a,C303a,C744,BG037,BG101,C401c,GI704,C456b","memberOnly":"","qItems":"","color":"1","coins":1000,"allowFriends":1,"email":"'.$pdemail.'","isEligible":"1","bankCount":"","isEmailValidated":1,"isMember":1,"lastGame":"MG001","isZing":1,"xp":0,"qCount":0,"bank":"","isSafe":"0","gold":0,"bday":"1/1/2000,382","festivalCollection":0,"wearing":"","tickets":0,"xpLevel":0,"lastPlayed":"1/1/2015,383","games":"MG001,MG002,MG003","isMod":0,"mounts":"","backpack":"","level":"1"}'
    ) );

}
相关问题
最新问题