1. 首页
  2. 问答
  3. MySql查询中的错误是什么?

MySql查询中的错误是什么?

2012-09-30 48 views
0

每当我访问该页时,我都会得到:您在SQL语法中有错误;检查对应于你的MySQL服务器版本正确的语法使用近“”在1号线MySql查询中的错误是什么?

它与第二个做while循环

<html> 
<body> 
<?php 
mysql_connect("mysql.1freehosting.com", "u533288591_sdc", "mypass") or die(mysql_error()); 
mysql_select_db("u533288591_sdc"); 
$name = $_POST['name']; 
$probably_needed = "questions"; 
$grade = $_POST['class'] ; 
$answers ="answers" ; 
$query = mysql_query("SELECT * FROM $probably_needed ") or die(mysql_error()); 
$otherquery = mysql_query("select * from $ANSWERS ") or die (mysql_error()) ; 

while($row = mysql_fetch_array($query)){ 
echo "<a href=\"answer.php?name=" . $name . "&subject=" . $row['Subject'] . "&grade=" . $grade . "\">" . $row['Subject'] ."</a>" ; 
    while($answerrow = mysql_fetch_array($otherquery)){ 
     if ($answerrow['name'] == $name){ 
      if ($answerrow['subject'] == $row['Subject']){ 
       echo "success" ; 
       } 
      } 
     } 

} 
?> 

</body> 
</html>

来源

2012-09-30 user1709980

+1

您有一个XSS漏洞。 – SLaks

回答

0

包住变量与反引号的手册。 lowercase您的变量$ANSWERS

SELECT * FROM `$probably_needed` 
select * from `$answers`

PHP是区分大小写的。

来源

2012-09-30 15:44:55

+1

这不是问题的答案! – JvdBerg

2

A.在PHP $answers不是$ANSWERS

Form PHP Doc

在PHP的变量用一个美元符号后面是变量的名称来表示。变量名称区分大小写。

尝试

$answers ="answers" ; 
mysqli_query($link,sprintf("Select * from %s",$answers));


B.从PHP文件上mysql_query

建议的替代 使用这个扩展的气馁。相反,应该使用MySQLi或PDO_MySQL扩展。另请参阅MySQL:选择API指南和相关FAQ以获取更多信息。替代该功能包括:

你应该升级到mysqliPDO


C.由于您的代码XSS漏洞注入你应该使用filter_var

什么,我认为你的代码看起来应该像

$mysqli = new mysqli("mysql.1freehosting.com", "u533288591_sdc", "mypass", "u533288591_sdc"); 

$name = filter_var($_POST['name'], FILTER_SANITIZE_STRING); 
$grade = filter_var($_POST['class'],FILTER_SANITIZE_STRING); 

$tableQuestion = "questions"; // not sure where this would come from 
$tableAnswer = "answers"; 

$resultQuestion = $mysqli->query(sprintf("SELECT * FROM `%s`", $tableQuestion)); 
$resultAnswer = $mysqli->query(sprintf("SELECT * FROM `%s`", $tableAnswer)); 

$template = "<a href=\"answer.php?name=%s&subject=%s&grade=%s\">%s</a>"; 

while ($rowQuestion = $resultQuestion->fetch_assoc()) { 
    printf($resultAnswer, $name, $rowQuestion['Subject'], $grade, $rowQuestion['Subject']); 
    while ($rowAnswer = $resultAnswer->fetch_assoc()) { 
     if ($rowAnswer['name'] == $name && $rowAnswer['subject'] == $rowQuestion['Subject']) { 
      echo "success"; 
     } 

    } 
}

来源

2012-09-30 15:46:39 Baba

+0

nope ... 警告:mysqli_query()需要至少2个参数,1在/ home/u533288591/public_html/display中给出。在线12 警告:mysql_fetch_array():提供的参数不是有效的MySQL结果资源在/home/u533288591/public_html/display.php在线16 你好 警告:mysql_fetch_array():提供的参数不是有效的MySQL结果资源位于第16行的/home/u533288591/public_html/display.php – user1709980

+0

'$ link'应该像'$ link = mysqli_connect(“localhost”,“my_user”,“my_password”,“world”);'' – Baba

+1

对于所有的解释+1) – JvdBerg

1

PHP中的变量名是case sensitive

您定义:$answers ="answers";

但使用"select * from $ANSWERS "

$答案不是$真题答案

来源

2012-09-30 15:47:12 JvdBerg

+0

+1阅读我的想法我使用过'$ answers不是$ ANSWERS'你也使用过'$ answers不是$ ANSWERS' – Baba

0

可能是我的错误,但你应该这样做:

$queryText1 = "SELECT * FROM " + $probably_needed; 
$queryText1 = "SELECT * FROM " + $ANSWERS; 
$query = mysql_query($queryText1) or die(mysql_error()); 
$otherquery = mysql_query($queryText1) or die (mysql_error()) ;

换句话说,你应该串联字符串和变量。

来源

2012-09-30 15:47:46 hdimon

相关问题

 相关问题