Mysql Sql选择查询?
我在sql查询中遇到了一个问题 我的代码是:Mysql Sql选择查询?,mysql,sql,Mysql,Sql,我在sql查询中遇到了一个问题 我的代码是: $sSQL = "SELECT * FROM sub_admin WHERE UserName ='".$user."' , Password = '".$pass."' AND Branch='it'"; 但它显示了这个错误: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for
$sSQL = "SELECT * FROM sub_admin WHERE UserName ='".$user."' ,
Password = '".$pass."' AND Branch='it'";
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near ' Password = 'ss' AND
Branch='it'' at line 1
<?php session_start();
include 'conn.php';
include 'layouts/header.php';
$sql="SELECT * FROM signup where Department='it'";
if($sql)
{
$result=mysql_query($sql);
}
else
{
$sql2="SELECT * FROM signup WHERE Department='management'";
$resul=mysql_query($sql2);
}
?>
<div id="main">
<div id="navigation" >
<ul class="nav">
<li><a href="selected_user.php">Users Statistics</a></li>
<li><a href="message.php">Post New Anousment</a></li>
<li><a href="#">Messages</a>
<ul>
<li><a href="#">Inbox</a></li>
<li><a href="#">Outbox</a></li>
</ul>
</li>
<li><a href="logout.php">Logout</a></li>
</ul>
</div>
<div id="page">
<h2>Admin Menu</h2>
<p>Welcome to Admin Area</p>
<div class="tbl">
<table>
<tr>
<th><strong>ID</strong></th>
<th><strong>FirstName</strong></th>
<th><strong>LastName</strong></th>
<th><strong>UserName</strong></th>
<th><strong>Email</strong></th>
<th><strong>Department</strong></th>
<th><strong>ID#</strong></th>
<th><strong>Phone #</strong></th>
<th><strong>Address</strong></th>
<th><strong>Status</strong></th>
</tr>
<?php while($rows=mysql_fetch_array($result)){?>
<tr>
<td><?php echo $rows['Id']; ?></td>
<td><?php echo $rows['First_Name']; ?></td>
<td><?php echo $rows['Last_Name']; ?></td>
<td><?php echo $rows['Username'];?></td>
<td><?php echo $rows['Email']; ?></td>
<td><?php echo $rows['Department']; ?></td>
<td><?php echo $rows['Employe_Id']; ?></td>
<td><?php echo $rows['Phone']; ?></td>
<td><?php echo $rows['Address']; ?></td>
<td><?php echo $rows['Status']; ?></td>
</tr>
<?php } ?>
</table>
</div>
</div>
</div>
<?php include 'layouts/footer.php' ?>
复制/粘贴并检查以下内容:
$sSQL = "SELECT * FROM `sub_admin` WHERE `UserName` ='".$user."' and `Password` = '".$pass."' AND `Branch`='it'";
投票失败有什么特别的原因吗?这似乎是正确的答案。也许是为了鼓励易受SQL注入攻击的代码,而不是提及绑定参数?或者可能是为了回答一个可能应该在“题外话/打字错误”类别下关闭的问题。@AndrewMedico:尽管如此,它仍然回答了这个问题。您是否尝试过回答在您的评论中提及边界参数的问题?这个答案不值得投反对票,我没有投反对票。猜猜为什么会这样。然后我猜谁否决了这一点,谁就会读到我的评论:“这样做”不是一个好答案。你应该解释一下为什么你的答案能解决这个问题。你是对的。所以,正如Gordon Linoff所提到的,缺失和参数是一个问题。第二个建议-始终将列名放在撇号中。第三个问题-将变量安全地传递给DB吗?您可以考虑使用mysql\u real\u escape\u string$your\u变量来避免mysql注入。@marcineck撇号!=backtick.为什么这两个查询不起作用?主要的SQL注入漏洞。不要通过连接字符串来创建查询,特别是如果字符串来自用户。使用mysqli或更好的PDO,并使用准备好的语句。
$sSQL = "SELECT * FROM `sub_admin` WHERE `UserName` ='".$user."' and `Password` = '".$pass."' AND `Branch`='it'";