I have a MySQL database with a table (opendpu) that has multiple columns including columns titled "ECRNUM" and "PE_REQUIRED".
我有一个MySQL数据库,其中有一个表(opendpu),它有多个列,包括标题为“ECRNUM”和“PE_REQUIRED”的列。
I'm simply trying to test this update statement by specifying some values. I get this error:
我只是通过指定一些值来测试这个update语句。我得到这个错误:
Array ( [0] => 42000 [1] => 1064 [2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DOE WHERE ECRNUM = 81308' at line 1 )
数组([0]=> 42000 [1]=> 1064 [2]=> SQL语法错误;检查与MySQL服务器版本对应的手册,找到在第1行ECRNUM = 81308附近使用的正确语法)
I cannot, for the life of me, figure out what is wrong here. Can anyone help?
我这辈子都搞不清楚这里出了什么问题。谁能帮忙吗?
<?php
require ('config.php');
$ecrno = '81308';
$pe_required = 'JOHN DOE';
while (true) {
try {
$db = new PDO($dsn, $uname, $pword);
$db->exec( "SET CHARACTER SET utf8" );
$db->setAttribute( PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC );
$db->setAttribute( PDO::ATTR_PERSISTENT, true );
break;
}
catch (Exception $e) {
$db = null;
$counter++;
if ($counter == $limit)
throw $e;
}
}
$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED = $pe_required WHERE ECRNUM = $ecrno");
$stmt->execute() or die(print_r($stmt->errorInfo(), true));
?>
.
。
3 个解决方案
#1
1
Change your syntax like this [Enclosed quotes around the variable]
像这样更改语法[变量周围的引号]
$stmt = $db->prepare("UPDATE `opendpu` SET PE_REQUIRED = '$pe_required' WHERE ECRNUM = '$ecrno'");
#2
3
+1 for using prepared statements... but (and its a big BUT):
+1用于使用准备好的语句……但是(这是一个很大的但是):
You should never use prepared statements without bind_param as this leaves you wide open to SQL injection and negates the benefits of prepared statements.
如果不使用bind_param,就不应该使用准备语句,因为这会让您很容易接受SQL注入,并且会抵消准备语句的好处。
$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED=? WHERE ECRNUM=?");
$stmt->bind_param('si', $pe_required, $ecrno);
$stmt->execute() or die(print_r($stmt->errorInfo(), true));
#3
0
Please check with below query
请查询以下查询
$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED = '.$pe_required.' WHERE ECRNUM = '.$ecrno.'");
#1
1
Change your syntax like this [Enclosed quotes around the variable]
像这样更改语法[变量周围的引号]
$stmt = $db->prepare("UPDATE `opendpu` SET PE_REQUIRED = '$pe_required' WHERE ECRNUM = '$ecrno'");
#2
3
+1 for using prepared statements... but (and its a big BUT):
+1用于使用准备好的语句……但是(这是一个很大的但是):
You should never use prepared statements without bind_param as this leaves you wide open to SQL injection and negates the benefits of prepared statements.
如果不使用bind_param,就不应该使用准备语句,因为这会让您很容易接受SQL注入,并且会抵消准备语句的好处。
$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED=? WHERE ECRNUM=?");
$stmt->bind_param('si', $pe_required, $ecrno);
$stmt->execute() or die(print_r($stmt->errorInfo(), true));
#3
0
Please check with below query
请查询以下查询
$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED = '.$pe_required.' WHERE ECRNUM = '.$ecrno.'");