PDO语句出错

时间:2011-08-03 20:50:29

标签: php mysql pdo

错误:*解析错误:语法错误,第9行意外的T_VARIABLE *< - 仍然给我同样的错误..

PHP 

<?php
#connect mysql
require_once "dbcred.php";
$dbh = testdb_connect ();

session_start(); 
$username = $_POST['regduser']; 
$userpass = md5($_POST['regdpass']); 
$sql = $pdo->prepare("SELECT * from Students WHERE regduser=:username and regdpass=:pass");
$sql->bindParam(':username', $username)
$sql->bindParam(':pass', $userpass)
$sql->execute();
$result = mysql_query($sql); 
if (mysql_num_rows($result)!= 1) { 
 $error = "Login failed"; 
 #include "loginform.php"; 
} else { 
    echo "<h1>exists</h1>";
 #$_SESSION['regduser'] = "$username"; 
 #$_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; 
 // any other data needed to navigate the site or 
 // to authenticate the user can be added here 
 #include "membersection.php"; 
}

?>

dbcred.php 

<?php
   # pdo_testdb_connect.php - function for connecting to the "test" database

   function testdb_connect ()
   {
     $dbh = new PDO("mysql:host=localhost;dbname=#", "root", "");
     return ($dbh);
   }
?>

HTML: 

<form action="inc/check_regUsr.php" method="post" id="userLogon">
    <div class="field required">
        Username: <input type="text" name="regduser" tabindex="1" /><br />
        </div>
        <div class="field required">
        Password: <input type="text" name="regdpass" tabindex="2" /><br />
        </div>
        <input type="submit" name="submitUser" />
</form>

5 个答案:

答案 0 :(得分:5)

$sql = $dbh->prepare("SELECT * from Students WHERE regduser=:username and regdpass=:pass");
$sql->bindParam(':username', $username)
$sql->bindParam(':pass', $userpass)
$sql->execute();

Bobby-Tables PHP

如果您已使用PDO,则使用参数化查询来利用转义。 此外,您在查询中使用单引号并包含该字符串。在查询中使用双引号作为字符串和单引号,因为它现在的方式,您已经在第一个单引号后终止字符串。

答案 1 :(得分:2)

您需要在查询(句点)中放置字符串连接语法:

$sql = $pdo->prepare('SELECT * from Students WHERE regduser="'.addslashes($username).'" and regdpass="'.addslashes($userpass).'"');

您也可以为字符串使用双引号,这意味着变量将在字符串中被替换。

$username = addslashes($username);
$sql = $pdo->prepare("SELECT * from Students WHERE regduser='$username' and regdpass='$userpass'");

我也已经转义了你的变量,你需要确保在查询中使用数据之前总是从用户那里转义数据,或者使用PDO将它们与问号交换(?)

答案 2 :(得分:1)

您需要将字符串放在双引号中。 PHP认为该语句在第二个单引号字符处终止。

像这样:$ sql = $ pdo-&gt; prepare(“SELECT * from Students WHERE regduser ='$ username'和regdpass ='$ userpass'”);

答案 3 :(得分:1)

你以错误的方式使用字符串连接。第9行应如下所示:

$sql = $pdo->prepare("SELECT * from Students WHERE regduser='$username' and regdpass='$userpass'");

或者,如果你想使用单引号:

$sql = $pdo->prepare('SELECT * from Students WHERE regduser=\''.$username.'\' and regdpass=\''.$userpass.'\'");

答案 4 :(得分:0)

您的字符串构造已损坏:

$sql = $pdo->prepare('SELECT * from Students WHERE regduser='$username' and regdpass='$userpass'');
                     ^--start string                        ^---end string

请改为尝试:

$sql = $pdo->prepare("SELECT * from Students WHERE regduser='$username' and regdpass='$userpass'");
                     ^--double quote                                                            ^---ditto
相关问题
最新问题