这段PHP代码中的SQL语法有什么问题?
我正在学习PHP,所以我在PHP中练习SQL和CRUD,但是我似乎有一个问题,但我看不出有什么错。有两个文件: databases.php这段PHP代码中的SQL语法有什么问题?,php,mysqli,Php,Mysqli,我正在学习PHP,所以我在PHP中练习SQL和CRUD,但是我似乎有一个问题,但我看不出有什么错。有两个文件: databases.php <?php // 1. Create a database connection $dbhost = "localhost"; $dbuser = "root"; $dbpass = "root"; $dbname = "widget_corp"; $connection = mysqli_connect($dbhost, $dbuser, $dbpa
<?php
// 1. Create a database connection
$dbhost = "localhost";
$dbuser = "root";
$dbpass = "root";
$dbname = "widget_corp";
$connection = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
// Test if connection occured
if(mysqli_connect_errno()) {
die("Database connection failed: " .
mysqli_connect_error() .
" (" . mysqli_connect_errno() . ")"
);
}
?>
<?php
// Perform database query
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE visible = 1 ";
$query .= "ORDER BY position ASC";
$result = mysqli_query($connection, $query);
// Test if there was a query error
if (!$result) {
die("Database query failed.");
}
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<title>Databases</title>
<body>
<ul>
<?php
// 3. Use returned data (if any)
while($subject = mysqli_fetch_assoc($result)) {
// Output data from each row
?>
<li><?php echo $subject["menu_name"] . " (" .$subject["id"] . ")"; ?></li>
<?php
}
?>
</ul>
<?php
// 4. Release returned data
mysqli_free_result($result);
?>
</body>
<?php
// Close database connection
mysqli_close($connection);
?>
数据库
和数据库_update.php
<?php
// 1. Create a database connection
$dbhost = "localhost";
$dbuser = "root";
$dbpass = "root";
$dbname = "widget_corp";
$connection = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
// Test if connection occured
if(mysqli_connect_errno()) {
die("Database connection failed: " .
mysqli_connect_error() .
" (" . mysqli_connect_errno() . ")"
);
}
?>
<?php
// Often these are form values in $_POST
$id = 5;
$menu_name = "Delete me";
$position = 4;
$visible = 1;
// 2. Perform database query
$query = "UPDATE subjects SET ";
$query .= "menu_name = '{$menu_name}', ";
$query .= "position = {$position}, ";
$query .= "visible = {$visible}, ";
$query .= "WHERE id = {$id}";
$result = mysqli_query($connection, $query);
// Test if there was a query error
if ($result) {
// Success
// redirect_to("somepage.php");
echo "Success!";
} else {
// Failure
// message = "Subject creation failed";
die("Database query failed. " . mysqli_error($connection));
}
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<title>Databases</title>
<body>
</body>
<?php
// Close database connection
mysqli_close($connection);
?>
问题在于“where”关键字前面有一个逗号
沃利克的答案是正确的。但是,最好(更安全!)使用准备好的语句,因为它们通过不正确的转义来防止SQL注入
然后需要做的是使用mysqli_prepare函数(或$connection->prepare()),然后将所需参数绑定到查询并执行它。像这样:
替换:
$query = "UPDATE subjects SET ";
$query .= "menu_name = '{$menu_name}', ";
$query .= "position = {$position}, ";
$query .= "visible = {$visible}, ";
$query .= "WHERE id = {$id}";
$result = mysqli_query($connection, $query);
与:
在visible={$visible}之后失去逗号,
在{$visible}
之后有一个逗号。您应该使用准备好的语句。如果可以,请不要将变量直接放入查询中。请不要以这种方式使用form POST数据。。先跳过它(或者更好,使用准备好的语句!)谷歌“SQL注入”
visible = {$visible}, WHERE id = {$id}
$query = "UPDATE subjects SET ";
$query .= "menu_name = '{$menu_name}', ";
$query .= "position = {$position}, ";
$query .= "visible = {$visible}, ";
$query .= "WHERE id = {$id}";
$result = mysqli_query($connection, $query);
$query = $connection->prepare("UPDATE subjects SET menu_name=?, position=?, visible=? WHERE id=?");
$query->bind_param('siii', $menu_name, $position, $visible, $id); // siii means 1 string, followed by 3 integer values
$result = $query->execute(); // actually run the query