MariaDB与查询错误

时间:2016-12-29 17:37:18

标签: mariadb

执行查询时出现以下错误。

<?php 
header("Access-Control-Allow-Origin: *");
//header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");
$kode_decode = file_get_contents("php://input")
$data = json_decode($kode_decode);
$username = mysql_real_escape_string($data->username);
$password = mysql_real_escape_string($data->password);

//$foo= $_GET['first'];
//$foo1= $_GET['second'];

$host = "mysql.idhostinger.com";
$username_database = "";
$pass_database = "";
$database = "private";

$connect_db = mysqli_connect($host, $username_database, $pass_database, $database); 

if ($connect_db) {
    echo "Database ditemukan";
}else {
  echo "Database Tidak Ada";
  mysqli_close($connect_db);
}

$tesa = 'yosia';
$tesb = 'pazz';

$query = "INSERT INTO coba_form VALUES('','".$tesa."','".$tesb."')";
$sql = mysqli_query($connect_db, $query);

if($sql){
    echo "data berhasil di insert ke dalam database";
}else{
    echo "data gagal diinsert ke dalam database";
}
//mysql_select_db("300927381_smst");
/*$tesa = 'yosia';
$tesb = 'pazz';
$qry = 'INSERT INTO coba_form values ("''","'.$tesa.'","'.$tesb.'")';



$qry_res = mysql_query($qry);

if ($qry_res) {
    $arr = array('msg' => "User Created Successfully!!!", 'error' => '');
    $jsn = json_encode($arr);
    print_r($jsn);
} else {
    $arr = array('msg' => "", 'error' => 'Error In inserting');
    $jsn = json_encode($arr);
    print_r($jsn);
}*/

?>

这是查询

Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''0', '25'' at line 1

注释

这是paramas的var dum输出

   $sqlData = 'SELECT * FROM users WHERE u_id_id = :UID_ID ORDER BY :ORDER_BY :ORDER_TYPE limit :START, :DATA_LENGTH';

        $params = array(
            ":UID" => $uId,
            ":ORDER_BY" => $orderBy,
            ":ORDER_TYPE" => $orderType,
            ":START" => $start,
            ":DATA_LENGTH" => $length
        );
      $queryData = \registry::getDBHandler()->prepare($sqlData);


  $queryData->execute($params);
var_dump($queryData->execute($params));

1 个答案:

答案 0 :(得分:1)

Prepared语句允许您将变量绑定到SQL查询的WHERE(以及我认为SELECT)子句。不幸的是,它们不允许您绑定到ORDER BYLIMIT(或FROM)子句。为此,您需要手动追加到字符串。

由于用户没有输入这些值,如果你这样做,你应该安全地从SQL注入:

$sqlData = "SELECT * FROM users WHERE u_id_id = :UID_ID ORDER BY $orderBy $orderType LIMIT $start, $length";

(注意字符串周围的双引号)

然后你的$params数组就是:

$params = array(":UID" => $uId);

如果您担心SQL注入,那么您可以使用以下内容来帮助解决这个问题:

  • 对于ORDER BY,您可以确保$orderBy位于硬编码字段列表中,如果不是,则拒绝该字段。
  • 对于$orderType,只需确保它等于"asc""desc"(可能忽略大小写)。
  • 使用$start$length,确保它们是整数。如果需要,您还可以尝试使用intval()转换它们。

如果您遵循这些规则,那么将这些变量附加到SQL查询中应该是安全的。由于$uIdWHERE的一部分,因此您可以使用准备好的变量,这很好。