简单的表查询语法错误? [英] Simple table query syntax error?
问题描述
我希望这里有人能帮我看看这个错误是从哪里来的.
I hope someone here can help me see where this error is coming from.
我有一个包含两个字段的表单:电子邮件和密码.表单的动作将它带到一个应该
I have a form with two fields: email and password. The form's action takes it to a php page that is supposed to
- 开始会话
- 通过mysql连接数据库
- 运行查询并选择表格中电子邮件字段与电子邮件类似的行在表单中提交.
现阶段不完整,我只回显了脚本末尾的一些字段看看它是否有效.
At this stage it is incomplete, I only echo some of the fields at the end of the script to see if it works.
我对其进行了测试,但在最后一行出现了意外的结束错误;我遗漏了一个括号.所以我虽然不会有其他错误,但是当我再次测试时,我得到了这个错误:
I tested it and there was an unexpected end error that came up right at the last line; a bracket I left out. So I though there would be no other errors, but then when I tested it again I got this error:
您的 SQL 语法有错误;检查与您的 MySQL 服务器版本相对应的手册,以获取在第 6 行的@gmail.com"附近使用的正确语法
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@gmail.com' at line 6
@gmail.com 是我提交的电子邮件的最后一部分.
@gmail.com is the last bit of the email I submitted.
这里是php(action)页面的代码:
Here is the code of the php (action) page:
<?php
session_start();
$_SESSION['sessionemail'] = $_POST['email'];
$_SESSION['sessionpassword'] = $_POST['password'];
$_SESSION['authuser'] = 0;
$dbhost = 'somewhere.com';
$dbuser = 'user';
$dbpass = 'pw';
$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');
$dbname = 'medreunten_db1';
mysql_select_db($dbname) or die(mysql_error($conn));
$query = 'SELECT
name, smacker, surname, sex, age, nationality, email
FROM
employee
WHERE
email = ' . $_POST['email'];
$result = mysql_query($query, $conn) or die (mysql_error($conn));
extract(mysql_fetch_assoc($result));
while ($row = mysql_fetch_array($result)) {
echo $row['name'];
echo $row['surname'];
echo $row['age'];
}
?>
我尝试删除前 5 行,但仍然出现相同的错误.
I tried removed the first 5 lines and I still got the same error.
不知何故,当 php 被解析时,浏览器会读取 email 变量的内容,就好像它是我的 php 代码的一部分.至少我是这么想的,因为我收到的错误表明@gmail.com"附近的语法有问题.
Somehow, when the php gets parsed, the browser reads the content of the email variable as if it is part of my php code. At least that's what I thought because the error I receive states that there is a problem with the syntax near "@gmail.com".
希望有人能给我一个线索!
I hope someone can give me a clue!
推荐答案
你有一个 SQL 注入,在发送到任何用户提交或以其他方式可能被篡改的数据之前,总是应用 mysql_real_escape_string()
一个 MySQL 数据库.
You have an SQL injection, always apply mysql_real_escape_string()
to any user-submitted or otherwise potentially tampered-with data before sending to a MySQL database.
注意电子邮件变量周围的 '
.
Note the '
around the email variable.
$email = mysql_real_escape_string($_POST['email']);
$query = "
SELECT name, smacker, surname, sex, age, nationality, email
FROM employee
WHERE email = '$email'
";
这篇关于简单的表查询语法错误?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!