1. 首页
  2. 问答
  3. 此PHP代码中的SQL语法有什么问题?

此PHP代码中的SQL语法有什么问题?

2014-02-15 51 views
-2

我正在学习PHP,所以我在PHP中练习SQL和CRUD,但是我似乎有一个问题,但我没有看到什么是错的。有两个文件:此PHP代码中的SQL语法有什么问题?

databases.php

<?php 
// 1. Create a database connection 
$dbhost = "localhost"; 
$dbuser = "root"; 
$dbpass = "root"; 
$dbname = "widget_corp"; 
$connection = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname); 
// Test if connection occured 
if(mysqli_connect_errno()) { 
    die("Database connection failed: " . 
     mysqli_connect_error() . 
      " (" . mysqli_connect_errno() . ")" 
); 
} 

?> 
<?php 
// Perform database query 
$query = "SELECT * "; 
$query .= "FROM subjects "; 
$query .= "WHERE visible = 1 "; 
$query .= "ORDER BY position ASC"; 
$result = mysqli_query($connection, $query); 
// Test if there was a query error 
if (!$result) { 
    die("Database query failed."); 
} 

?> 
<!DOCTYPE html PUBLIC "-//W3C/DTD HTML 4.01 Transitional//EN" 
    "http://www.w3.org/TR/html4/loose.dtd"> 

<html lang="en"> 
<head> 
    <title>Databases</title> 
    <body> 
     <ul> 
     <?php 
     // 3. Use returned data (if any) 
     while($subject = mysqli_fetch_assoc($result)) { 
      // Output data from each row 
      ?> 
      <li><?php echo $subject["menu_name"] . " (" .$subject["id"] . ")"; ?></li> 
      <?php 
     } 
     ?> 
    </ul> 
     <?php 
     // 4. Release returned data 
     mysqli_free_result($result); 
     ?> 
    </body> 
<?php 
// Close database connection 
mysqli_close($connection); 
?>

和databases_update.php

<?php 
// 1. Create a database connection 
$dbhost = "localhost"; 
$dbuser = "root"; 
$dbpass = "root"; 
$dbname = "widget_corp"; 
$connection = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname); 
// Test if connection occured 
if(mysqli_connect_errno()) { 
    die("Database connection failed: " . 
     mysqli_connect_error() . 
      " (" . mysqli_connect_errno() . ")" 
); 
} 

?> 
<?php 
// Often these are form values in $_POST 
$id = 5; 
$menu_name = "Delete me"; 
$position = 4; 
$visible = 1; 

// 2. Perform database query 
$query = "UPDATE subjects SET "; 
$query .= "menu_name = '{$menu_name}', "; 
$query .= "position = {$position}, "; 
$query .= "visible = {$visible}, "; 
$query .= "WHERE id = {$id}"; 

$result = mysqli_query($connection, $query); 
// Test if there was a query error 
if ($result) { 
    // Success 
    // redirect_to("somepage.php"); 
    echo "Success!"; 
} else { 
    // Failure 
    // message = "Subject creation failed"; 
    die("Database query failed. " . mysqli_error($connection)); 
} 

?> 
<!DOCTYPE html PUBLIC "-//W3C/DTD HTML 4.01 Transitional//EN" 
    "http://www.w3.org/TR/html4/loose.dtd"> 

<html lang="en"> 
<head> 
    <title>Databases</title> 
    <body> 

    </body> 
<?php 
// Close database connection 
mysqli_close($connection); 
?>

我收到的错误是,当我去到localhost:8888/databases_update.php。 这是错误: Database query failed. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 5' at line 1 这是什么造成的?

来源

2014-02-15 Matt

+3

丢失后'可见逗号= {$可见}' –

+2

你有后'{$可见}'一个逗号。 – h2ooooooo

+1

您应该使用准备好的语句。如果可以帮助,请不要将变量直接放入查询中。 – Mike

回答

1

Wallyk的回答是正确的。但是,使用预处理语句会更好(更安全!),因为它们会通过不正确的转义防止SQL注入。

然后您需要使用mysqli_prepare函数(或$ connection-> prepare()),然后将所需的参数绑定到查询并执行它。像这样:

替换:

$query = "UPDATE subjects SET "; 
$query .= "menu_name = '{$menu_name}', "; 
$query .= "position = {$position}, "; 
$query .= "visible = {$visible}, "; 
$query .= "WHERE id = {$id}"; 
$result = mysqli_query($connection, $query);

有了:

$query = $connection->prepare("UPDATE subjects SET menu_name=?, position=?, visible=? WHERE id=?"); 
$query->bind_param('siii', $menu_name, $position, $visible, $id); // siii means 1 string, followed by 3 integer values 
$result = $query->execute(); // actually run the query

来源

2014-02-15 23:42:49 Tularis

2 
$query .= "visible = {$visible}, "; 
$query .= "WHERE id = {$id}";

是在“WHERE”关键字前面有逗号的问题。

visible = {$visible}, WHERE id = {$id}

来源

2014-02-15 23:33:10 wallyk

相关问题

 相关问题