Php 我在哪里犯的错?我的cms中有一个MySQL语法错误
我正在制作一个简单的cms来管理某人的站点,尽管当我尝试修改用户帐户的访问级别时,它会给出一个mysql sytax错误:- '您的SQL语法有错误;检查与MySQL服务器版本对应的手册,以了解第5行“WHERE user_id=2”附近要使用的正确语法 程序有3个级别的用户,1=用户,2=主持人,3=管理员 这是我的密码:Php 我在哪里犯的错?我的cms中有一个MySQL语法错误,php,mysql,sql,Php,Mysql,Sql,我正在制作一个简单的cms来管理某人的站点,尽管当我尝试修改用户帐户的访问级别时,它会给出一个mysql sytax错误:- '您的SQL语法有错误;检查与MySQL服务器版本对应的手册,以了解第5行“WHERE user_id=2”附近要使用的正确语法 程序有3个级别的用户,1=用户,2=主持人,3=管理员 这是我的密码: <?php require_once 'db.inc.php'; require_once 'cms_http_functions.inc.php'; $db =
<?php
require_once 'db.inc.php';
require_once 'cms_http_functions.inc.php';
$db = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD) or
die ('Unable to connect. Check your connection parameters.');
mysql_select_db(MYSQL_DB, $db) or die(mysql_error($db));
if (isset($_REQUEST['action'])) {
switch ($_REQUEST['action']) {
case 'Login':
$email = (isset($_POST['email'])) ? $_POST['email'] : '';
$password = (isset($_POST['password'])) ? $_POST['password'] : '';
$sql = 'SELECT
user_id, access_level, name
FROM
cms_users
WHERE
email = "' . mysql_real_escape_string($email, $db) . '" AND
password = PASSWORD("' . mysql_real_escape_string($password,
$db) . '")';
$result = mysql_query($sql, $db) or die(mysql_error($db));
if (mysql_num_rows($result) > 0) {
$row = mysql_fetch_array($result);
extract($row);
session_start();
$_SESSION['user_id'] = $user_id;
$_SESSION['access_level'] = $access_level;
$_SESSION['name'] = $name;
}
mysql_free_result($result);
redirect('cms_index.php');
break;
case 'Logout':
session_start();
session_unset();
session_destroy();
redirect('cms_index.php');
break;
case 'Create Account':
$name = (isset($_POST['name'])) ? $_POST['name'] : '';
$email = (isset($_POST['email'])) ? $_POST['email'] : '';
$password_1 = (isset($_POST['password_1'])) ? $_POST['password_1'] : '';
$password_2 = (isset($_POST['password_2'])) ? $_POST['password_2'] : '';
$password = ($password_1 == $password_2) ? $password_1 : '';
if (!empty($name) && !empty($email) && !empty($password)) {
$sql = 'INSERT INTO cms_users
(email, password, name)
VALUES
("' . mysql_real_escape_string($email, $db) . '",
PASSWORD("' . mysql_real_escape_string($password, $db) . '"),
"' . mysql_real_escape_string($name, $db) . '")';
mysql_query($sql, $db) or die(mysql_error($db));
session_start();
$_SESSION['user_id'] = mysql_insert_id($db);
$_SESSION['access_level'] = 1;
$_SESSION['name'] = $name;
}
redirect('cms_index.php');
break;
enter code here
case 'Modify Account':
$user_id = (isset($_POST['user_id'])) ? $_POST['user_id'] : '';
$email = (isset($_POST['email'])) ? $_POST['email'] : '';
$name = (isset($_POST['name'])) ? $_POST['name'] : '';
$access_level = (isset($_POST['access_level'])) ? $_POST['access_level']
: '';
if (!empty($user_id) && !empty($name) && !empty($email) &&
!empty($access_level) && !empty($user_id)) {
$sql = 'UPDATE cms_users SET
email = "' . mysql_real_escape_string($email, $db) . '",
name = "' . mysql_real_escape_string($name, $db) . '",
access_level = "' . mysql_real_escape_string($access_level,
$db) . '",
WHERE
user_id = ' . $user_id;
mysql_query($sql, $db) or die(mysql_error($db));
}
redirect('cms_admin.php');
break;
case 'Send my reminder!':
$email = (isset($_POST['email'])) ? $_POST['email'] : '';
if (!empty($email)) {
$sql = 'SELECT email FROM cms_users WHERE email="' .
mysql_real_escape_string($email, $db) . '"';
$result = mysql_query($sql, $db) or die(mysql_error($db));
if (mysql_num_rows($result) > 0) {
$password = strtoupper(substr(sha1(time()), rand(0, 32), 8));
$subject = 'Comic site password reset';
$body = 'Looks like you forgot your password, eh? No worries. ' .
'We\'ve reset it for you!' . "\n\n";
$body .= 'Your new password is: ' . $password;
mail($email, $subject, $body);
}
mysql_free_result($result);
}
redirect('cms_login.php');
break;
case 'Change my info':
session_start();
$email = (isset($_POST['email'])) ? $_POST['email'] : '';
$name = (isset($_POST['name'])) ? $_POST['name'] : '';
if (!empty($name) && !empty($email) && !empty($_SESSION['user_id']))
{
$sql = 'UPDATE cms_users SET
email = "' . mysql_real_escape_string($email, $db) . '",
name = "' . mysql_real_escape_string($name, $db) . '",
WHERE
user_id = ' . $_SESSION['user_id'];
mysql_query($sql, $db) or die(mysql_error($db));
}
redirect('cms_cpanel.php');
break;
default:
redirect('cms_index.php');
}
} else {
redirect('cms_index.php');
}
?>
在“修改帐户”的情况下,在一行上有一个额外的逗号:
access_level = "' . mysql_real_escape_string($access_level,
$db) . '",
^ here
但是我请求你,不要在新代码中使用mysql\uz
函数。它们杂乱无章,过时了,官方也不赞成。学习PHP的数据库访问。一旦你习惯了,你会发现它更容易、更整洁、更安全。片段:
'access_level = "' . mysql_real_escape_string($access_level, $db) . '", WHERE...'
(在一行中更容易看到)在where
子句之前有一个逗号
摆脱它。设置另一列时可以使用逗号,但不能仅在where
之前
请记住,在90%的情况下,如果您只是在执行SQL字符串之前输出它们(在调试期间,而不是在生产中),那么这些问题很容易检测出来
此外,您还需要学习如何使用参数化查询,以提高可读性并防止潜在的安全漏洞(SQL注入)。打印出$SQL
;不要使用mysql\u
函数,请继续阅读。这个问题似乎与主题无关,因为它是关于查找comma@Wooble,我很确定这不会偏离主题,否则任何代码中都会有大量的运行时错误,这是不允许的,比如为什么(I=0;I<10;j++)会出现for(I=0;I<10;j++)
永无止境。@user2062950谢谢您提供的信息:)我会更改它。