执行查询时出现以下错误。
<?php
header("Access-Control-Allow-Origin: *");
//header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");
$kode_decode = file_get_contents("php://input")
$data = json_decode($kode_decode);
$username = mysql_real_escape_string($data->username);
$password = mysql_real_escape_string($data->password);
//$foo= $_GET['first'];
//$foo1= $_GET['second'];
$host = "mysql.idhostinger.com";
$username_database = "";
$pass_database = "";
$database = "private";
$connect_db = mysqli_connect($host, $username_database, $pass_database, $database);
if ($connect_db) {
echo "Database ditemukan";
}else {
echo "Database Tidak Ada";
mysqli_close($connect_db);
}
$tesa = 'yosia';
$tesb = 'pazz';
$query = "INSERT INTO coba_form VALUES('','".$tesa."','".$tesb."')";
$sql = mysqli_query($connect_db, $query);
if($sql){
echo "data berhasil di insert ke dalam database";
}else{
echo "data gagal diinsert ke dalam database";
}
//mysql_select_db("300927381_smst");
/*$tesa = 'yosia';
$tesb = 'pazz';
$qry = 'INSERT INTO coba_form values ("''","'.$tesa.'","'.$tesb.'")';
$qry_res = mysql_query($qry);
if ($qry_res) {
$arr = array('msg' => "User Created Successfully!!!", 'error' => '');
$jsn = json_encode($arr);
print_r($jsn);
} else {
$arr = array('msg' => "", 'error' => 'Error In inserting');
$jsn = json_encode($arr);
print_r($jsn);
}*/
?>
这是查询
Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''0', '25'' at line 1
这是paramas的var dum输出
$sqlData = 'SELECT * FROM users WHERE u_id_id = :UID_ID ORDER BY :ORDER_BY :ORDER_TYPE limit :START, :DATA_LENGTH';
$params = array(
":UID" => $uId,
":ORDER_BY" => $orderBy,
":ORDER_TYPE" => $orderType,
":START" => $start,
":DATA_LENGTH" => $length
);
$queryData = \registry::getDBHandler()->prepare($sqlData);
$queryData->execute($params);
var_dump($queryData->execute($params));
答案 0 :(得分:1)
Prepared语句允许您将变量绑定到SQL查询的WHERE
(以及我认为SELECT
)子句。不幸的是,它们不允许您绑定到ORDER BY
或LIMIT
(或FROM
)子句。为此,您需要手动追加到字符串。
由于用户没有输入这些值,如果你这样做,你应该安全地从SQL注入:
$sqlData = "SELECT * FROM users WHERE u_id_id = :UID_ID ORDER BY $orderBy $orderType LIMIT $start, $length";
(注意字符串周围的双引号)
然后你的$params
数组就是:
$params = array(":UID" => $uId);
如果您担心SQL注入,那么您可以使用以下内容来帮助解决这个问题:
ORDER BY
,您可以确保$orderBy
位于硬编码字段列表中,如果不是,则拒绝该字段。$orderType
,只需确保它等于"asc"
或"desc"
(可能忽略大小写)。$start
和$length
,确保它们是整数。如果需要,您还可以尝试使用intval()
转换它们。如果您遵循这些规则,那么将这些变量附加到SQL查询中应该是安全的。由于$uId
是WHERE
的一部分,因此您可以使用准备好的变量,这很好。