I am getting an Error in MySQL:
我在MySQL中出错了:
You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near '''')' at line 2'.
HTML Code:
HTML代码:
<form action="read_message.php" method="post">
<table class="form_table">
<tr>
<td style="font-weight:bold;">Subject:</td>
<td><input style=" width:300px" name="form_subject"/></td>
<td></td>
</tr>
<tr>
<td style="font-weight:bold;">Message:</td>
<td id="myWordCount"> (300 words left)</td>
<td></td>
</tr>
<tr>
<td><input type="hidden" name="sender_id" value="<?php echo $sender_id?>"></td>
<td><textarea cols="50" rows="4" name="form_message"></textarea></td>
<td valign="bottom"><input type="submit" name="submit_message" value="send"></td>
</tr>
</table>
</form>
Code to insert into a mysql table:
插入到mysql表的代码:
<?php
include_once"connect_to_mysql.php";
//submit new message
if($_POST['submit_message']){
if($_POST['form_subject']==""){
$submit_subject="(no subject)";
}else{
$submit_subject=$_POST['form_subject'];
}
$submit_message=$_POST['form_message'];
$sender_id = $_POST['sender_id'];
if($shortMessagesLeft<1){
$form_error_message='You have left with '.$shortMessagesLeft.' Short Message. Please purchase it from the <a href="membership.php?id='.$id.'">shop</a>.';
}
else if($submit_message==""){
$form_error_message = 'Please fill in the message before sending.';
}
else{
$message_left = $shortMessagesLeft-1;
$update_short_message = mysql_query("UPDATE message_count SET short_message = '$message_left' WHERE user_id = '$id'");
$sql = mysql_query("INSERT INTO private_messages (to_id, from_id, time_sent, subject, message)
VALUES('$sender_id', '$id', now(),'$submit_subject','$submit_message')") or die (mysql_error());
}
}
?>
What does the error mean and what am I doing wrong?
错误是什么意思,我做错了什么?
5 个解决方案
#1
12
There is a single quote in $submitsubject or $submit_message
$submitsubject或$submit_message中有一个引用
Why is this a problem?
为什么这是个问题?
The single quote char terminates the string in MySQL and everything past that is treated as a sql command. You REALLY don't want to write your sql like that. At best, your application will break intermittently (as you're observing) and at worst, you have just introduced a huge security vulnerability.
在MySQL中,单引号字符终止了字符串,而过去的一切都被当作sql命令处理。你真的不想这样写sql语句。在最好的情况下,应用程序将间歇性地中断(正如您所观察到的),而在最坏的情况下,您刚刚引入了一个巨大的安全漏洞。
Imagine if someone submitted '); DROP TABLE private_messages; in submit message.
想象一下如果有人提交了;删除表private_messages;在提交信息。
Your SQL Command would be:
您的SQL命令将是:
INSERT INTO private_messages (to_id, from_id, time_sent, subject, message)
VALUES('sender_id', 'id', now(),'subjet','');
DROP TABLE private_messages;
Instead you need to properly sanitize your values.
相反,你需要正确地净化你的价值观。
AT A MINIMUM you must run each value through mysql_real_escape_string() but you should really be using prepared statements.
至少,您必须通过mysql_real_escape_string()运行每个值,但是您确实应该使用准备好的语句。
If you were using mysql_real_escape_string() your code would look like this:
如果您正在使用mysql_real_escape_string(),那么您的代码将如下所示:
if($_POST['submit_message']){
if($_POST['form_subject']==""){
$submit_subject="(no subject)";
}else{
$submit_subject=mysql_real_escape_string($_POST['form_subject']);
}
$submit_message=mysql_real_escape_string($_POST['form_message']);
$sender_id = mysql_real_escape_string($_POST['sender_id']);
Here is a great article on prepared statements and PDO.
这里有一篇关于准备语句和PDO的文章。
#2
4
That's called SQL INJECTION. The ' tries to open/close a string in your mysql query. You should always escape any string that gets into your queries.
这就叫做SQL注入。尝试在mysql查询中打开/关闭一个字符串。您应该总是转义任何进入查询的字符串。
for example,
例如,
instead of this:
而不是:
"VALUES ('$sender_id') "
do this:
这样做:
"VALUES ('". mysql_real_escape_string($sender_id) ."') "
(or equivalent, of course)
当然,(或同等)
However, it's better to automate this, using PDO, named parameters, prepared statements or many other ways. Research about this and SQL Injection (here you have some techniques).
但是,最好使用PDO、命名参数、准备语句或其他许多方法来自动化。研究这个和SQL注入(这里有一些技术)。
Hope it helps. Cheers
希望它可以帮助。干杯
#3
0
Please make sure you have downloaded the sqldump fully, this problem is very common when we try to import half/incomplete downloaded sqldump. Please check size of your sqldump file.
请确保您已经完全下载了sqldump,当我们尝试导入半/不完整下载的sqldump时,这个问题非常常见。请检查sqldump文件的大小。
#4
0
I was getting the same error when I used this code to update the record:
当我使用这段代码更新记录时,我得到了相同的错误:
@mysqli_query($dbc,$query or die()))
After removing or die, it started working properly.
在取出或死亡后,它开始正常工作。
#5
0
I had this problem before, and the reason is very simple: Check your variables, if there were strings, so put it in quotes '$your_string_variable_here' ,, if it were numerical keep it without any quotes. for example, if I had these data: $name ( It will be string ) $phone_number ( It will be numerical ) So, it will be like that:
我之前遇到过这个问题,原因很简单:检查变量,如果有字符串,那么把它放在引号中‘$your_string_variable_here’,如果是数值的,就不要用引号。例如,如果我有这些数据:$name(它将是string) $phone_number(它将是数值)
$query = "INSERT INTO users (name, phone) VALUES ('$name', $phone)"; Just like that and it will be fixed ^_^
$query =“插入用户(姓名、电话)值(‘$name’、$phone)”;就像这样,它将固定^ _ ^
#1
12
There is a single quote in $submitsubject or $submit_message
$submitsubject或$submit_message中有一个引用
Why is this a problem?
为什么这是个问题?
The single quote char terminates the string in MySQL and everything past that is treated as a sql command. You REALLY don't want to write your sql like that. At best, your application will break intermittently (as you're observing) and at worst, you have just introduced a huge security vulnerability.
在MySQL中,单引号字符终止了字符串,而过去的一切都被当作sql命令处理。你真的不想这样写sql语句。在最好的情况下,应用程序将间歇性地中断(正如您所观察到的),而在最坏的情况下,您刚刚引入了一个巨大的安全漏洞。
Imagine if someone submitted '); DROP TABLE private_messages; in submit message.
想象一下如果有人提交了;删除表private_messages;在提交信息。
Your SQL Command would be:
您的SQL命令将是:
INSERT INTO private_messages (to_id, from_id, time_sent, subject, message)
VALUES('sender_id', 'id', now(),'subjet','');
DROP TABLE private_messages;
Instead you need to properly sanitize your values.
相反,你需要正确地净化你的价值观。
AT A MINIMUM you must run each value through mysql_real_escape_string() but you should really be using prepared statements.
至少,您必须通过mysql_real_escape_string()运行每个值,但是您确实应该使用准备好的语句。
If you were using mysql_real_escape_string() your code would look like this:
如果您正在使用mysql_real_escape_string(),那么您的代码将如下所示:
if($_POST['submit_message']){
if($_POST['form_subject']==""){
$submit_subject="(no subject)";
}else{
$submit_subject=mysql_real_escape_string($_POST['form_subject']);
}
$submit_message=mysql_real_escape_string($_POST['form_message']);
$sender_id = mysql_real_escape_string($_POST['sender_id']);
Here is a great article on prepared statements and PDO.
这里有一篇关于准备语句和PDO的文章。
#2
4
That's called SQL INJECTION. The ' tries to open/close a string in your mysql query. You should always escape any string that gets into your queries.
这就叫做SQL注入。尝试在mysql查询中打开/关闭一个字符串。您应该总是转义任何进入查询的字符串。
for example,
例如,
instead of this:
而不是:
"VALUES ('$sender_id') "
do this:
这样做:
"VALUES ('". mysql_real_escape_string($sender_id) ."') "
(or equivalent, of course)
当然,(或同等)
However, it's better to automate this, using PDO, named parameters, prepared statements or many other ways. Research about this and SQL Injection (here you have some techniques).
但是,最好使用PDO、命名参数、准备语句或其他许多方法来自动化。研究这个和SQL注入(这里有一些技术)。
Hope it helps. Cheers
希望它可以帮助。干杯
#3
0
Please make sure you have downloaded the sqldump fully, this problem is very common when we try to import half/incomplete downloaded sqldump. Please check size of your sqldump file.
请确保您已经完全下载了sqldump,当我们尝试导入半/不完整下载的sqldump时,这个问题非常常见。请检查sqldump文件的大小。
#4
0
I was getting the same error when I used this code to update the record:
当我使用这段代码更新记录时,我得到了相同的错误:
@mysqli_query($dbc,$query or die()))
After removing or die, it started working properly.
在取出或死亡后,它开始正常工作。
#5
0
I had this problem before, and the reason is very simple: Check your variables, if there were strings, so put it in quotes '$your_string_variable_here' ,, if it were numerical keep it without any quotes. for example, if I had these data: $name ( It will be string ) $phone_number ( It will be numerical ) So, it will be like that:
我之前遇到过这个问题,原因很简单:检查变量,如果有字符串,那么把它放在引号中‘$your_string_variable_here’,如果是数值的,就不要用引号。例如,如果我有这些数据:$name(它将是string) $phone_number(它将是数值)
$query = "INSERT INTO users (name, phone) VALUES ('$name', $phone)"; Just like that and it will be fixed ^_^
$query =“插入用户(姓名、电话)值(‘$name’、$phone)”;就像这样,它将固定^ _ ^