SQL语法错误,但字符不行 [英] Error in SQL Syntax but character isnt in line

查看:104
本文介绍了SQL语法错误,但字符不行的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我收到以下错误:


您的SQL语法错误;检查与您的MySQL服务器版本相对应的手册,在第1行''附近使用正确的语法

甚至没有' '在线1或靠近它......根本没有意义。

 <?php $ b $ (); 
 if($ _SESSION ['uid']){
 if(isset($ _ POST ['reply_submit'])){$ b $ include_once(connect.php) ; 
 $ creator = $ _SESSION ['uid']; 
 $ cid = $ _POST ['cid']; 
 $ tid = $ _POST ['tid']; 
 $ reply_content = $ _POST ['reply_content']; 
 $ sql =INSERT INTO posts(category_id,topic_id,post_creator,post_content,post_date)VALUES('。$ cid。','。$ tid。 $'$。$'$'$。$'$'$。$'$'$。$'$'$。$'$'$'$'$'$'$'$' $ b $ sql2 =UPDATE categories SET last_post_date = now(),last_user_posted'。$ creator。'WHERE id ='。$ cid。'LIMIT 1; 
 $ res2 = mysql_query($ sql2)或die(mysql_error()); 
 $ sql3 =UPDATE topics SET topic_reply_date = now(),topic_last_user'。$ creator。''WHERE id ='。$ tid。'LIMIT 1; 
 $ res3 = mysql_query($ sql3)或死(mysql_error()); ($($ res)&&($ res2)&& $($ res3)){
 echo $
 $ b //电子邮件发送
 
 < p为H.成功与LT; / p>中; 
} else {
 echo< p>错误< / p>; 
} 
 
} else {
 exit(); 
} 
} else {
 exit(); 
} 
?>

以下是表单所在的位置... 

 <?php 
 session_start(); 
 error_reporting(E_ALL ^ E_DEPRECATED); 
 if((!!setset($ _ SESSION ['uid']))||($ _GET ['cid'] ==)){
 header(Location:index.php) ; 
 exit(); 
} 
 $ cid = $ _GET ['cid']; 
 $ tid = $ _GET ['tid']; 
?> 
<!doctype html> 
< html> 
< head> 
< meta charset =utf-8> 
< meta name =authorvalue =Joel Evans> 
< title> MCArcade  - 论坛:回复主题< / title> 
< link rel =stylesheettype =text / csshref =css / main.css> 
< link rel =stylesheettype =text / csshref =css / mobile.css> 
< link rel =stylesheettype =text / csshref =css / font-icon.css> 
< script src =js / jquery.js>< / script> 
< script> 
 $(document).ready(function(){
 $('li')。hover(function(){
 $(this).find('ul> li')。 stop()。slideToggle(fast,function(){
}); 
}); 
}); 
< / script> 
< / head> 
 
< body> 
 
< div class =forum-header> 
< div class =container> 
< h2> MCArcade< / h2> 
< / div> 
< / div> 
< ul class =forum-navbar> 
< div class =container> 
< li>< a href =http://www.mcarcade.com>主页< / a>< / li> 
< li>< a href =http://www.mcarcade.com/community/>社区< / a> 
< ul> 
< li>< a href =http://www.mcarcade.com/forums/>论坛< / a>< / li> 
< li>< a href =http://www.mcarcade.com/servers/>服务器< / a>< / li> 
< / ul> 
< / li> 
< li>< a href =http://www.mcarcade.com/purchase/>购买< / a>< / li> 
< li>< a href =http://www.mcarcade.com/support/>支持< / a>< / li> 
 
 <?php 
 if(!isset($ _ SESSION ['uid'])){
 echo< li>< a href ='http:/ /www.mcarcade.com/login.php'>Login</a></li>; 
} else {
 echo< li> Welcome,。$ _ SESSION ['username']。!< / li>< li>< a href ='logout_parse.php' >退出< / A>中; 
} 
?> 
< / div> 
< / ul> 
 
< div class =container> 
 
< form action =post_reply_parse.phpmethod =post> 
< p>回覆内容< / p> 
< textarea name =reply_contentrows =5cols =75>< / textarea> 
< br />< br /> 
< input type =hiddenname =cidvalue =<?php echo $ cid;?> /> 
< input type =hiddenname =tidvalue =<?php echo $ tid;?> /> 
< input type =submitname =reply_submitvalue =Post Reply/> 
< / form> 
 
< / div> 
 
< / body> 
< / html>


解决方案

您的代码有一些错误。 / p>

删除'now())'



将其改为: 

  ...'。$ reply_content。',now());

plus,



缺少<

将其更改为: $ b 

  last_user_posted ='。$ creator。''

以及 topic_last_user'。$ creator。'



将其更改为:

  topic_last_user ='。$ creator。'





将错误报告添加到您的文件顶部,这是不存在的查询代码。

  error_reporting(E_ALL); 
 ini_set('display_errors',1);

会在代码中发出错误信号。





SQL注入



您现在的代码可以打开强大的SQL注入功能 ,因为您不是转义任何数据输入

使用 mysqli 包含准备好的语句 PDO with prepared statements



注意: 在您打开<?php 标记之前,形成;您可能会在 标头 之前输出。

 <?php 
 ^^^^ //< =作为输出计数
 session_start(); 
 error_reporting(E_ALL ^ E_DEPRECATED); 
 if((!!setset($ _ SESSION ['uid']))||($ _GET ['cid'] ==)){
 header(Location:index.php) ; 
 exit(); 
 
 
 
 
 
 $ b 
如果确实存在空格,请删除它们,它们将作为标题之前的输出。 
 
 
 
对该文件报错ON也会触发警告: 
 
 
 
 < 
 
 
根据文档:
 
 
请记住,必须在发送任何实际输出之前调用 header(),可以使用普通HTML标记,空白文件中的行或PHP中的行。使用include或require函数或其他文件访问函数读取代码并在 header()之前输出空格或空行是一个非常常见的错误调用。使用单个PHP / HTML文件时存在同样的问题。
 
 
 
 
 
 
 
 
使用 error_reporting(E_ALL ^ E_DEPRECATED); 是不够的,您需要显示它们。 
 
 
  ini_set('display_errors',1); 
  
 
I am getting the following error:

  
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1


There's not even a '"' on line 1 or near it... Doesn't make sense at all.
<?php
session_start();
if ($_SESSION['uid']) {
    if (isset($_POST['reply_submit'])) {
        include_once("connect.php");
        $creator = $_SESSION['uid'];
        $cid = $_POST['cid'];
        $tid = $_POST['tid'];
        $reply_content = $_POST['reply_content'];
        $sql = "INSERT INTO posts (category_id, topic_id, post_creator, post_content, post_date) VALUES ('".$cid."', '".$tid."', '".$creator."', '".$reply_content."', 'now())'";
        $res = mysql_query($sql) or die(mysql_error());
        $sql2 = "UPDATE categories SET last_post_date=now(), last_user_posted'".$creator."' WHERE id='".$cid."' LIMIT 1";
        $res2 = mysql_query($sql2) or die(mysql_error());
        $sql3 = "UPDATE topics SET topic_reply_date=now(), topic_last_user'".$creator."' WHERE id='".$tid."' LIMIT 1";
        $res3 = mysql_query($sql3) or die(mysql_error());

        // Email Sending

        if (($res) && ($res2) && ($res3)) {
            echo "<p>Success</p>";
        } else {
            echo "<p>Error</p>";    
        }

    } else {
        exit(); 
    }
} else {
    exit(); 
}
?>

Here's where the form is...
    <?php
session_start();
error_reporting(E_ALL ^ E_DEPRECATED);
if ((!isset($_SESSION['uid'])) || ($_GET['cid'] == " ")) {
    header("Location: index.php");
    exit();
}
$cid = $_GET['cid'];
$tid = $_GET['tid'];
?>
<!doctype html>
<html>
    <head>
        <meta charset="utf-8">
        <meta name="author" value="Joel Evans">
        <title>MCArcade - Forums: Reply to Thread</title>
        <link rel="stylesheet" type="text/css" href="css/main.css">
        <link rel="stylesheet" type="text/css" href="css/mobile.css">
        <link rel="stylesheet" type="text/css" href="css/font-icon.css">
        <script src="js/jquery.js"></script>
        <script>
        $(document).ready(function(){
            $('li').hover(function(){
                $(this).find('ul>li').stop().slideToggle("fast", function(){
                });
            });
        });
        </script>
    </head>

    <body>

        <div class="forum-header">
            <div class="container">
                <h2>MCArcade</h2>
            </div>
        </div>
        <ul class="forum-navbar">
            <div class="container">
                <li><a href="http://www.mcarcade.com">Home</a></li>
                <li><a href="http://www.mcarcade.com/community/">Community</a>
                    <ul>
                        <li><a href="http://www.mcarcade.com/forums/">Forums</a></li>
                        <li><a href="http://www.mcarcade.com/servers/">Servers</a></li>
                    </ul>
                </li>
                <li><a href="http://www.mcarcade.com/purchase/">Purchase</a></li>
                <li><a href="http://www.mcarcade.com/support/">Support</a></li>

                <?php
                    if (!isset($_SESSION['uid'])) {
                        echo "<li><a href='http://www.mcarcade.com/login.php'>Login</a></li>";
                    } else {
                        echo "<li>Welcome, ".$_SESSION['username']."!</li><li><a href='logout_parse.php'>Logout</a>";   
                    }
                ?>
            </div>
        </ul>

        <div class="container">

            <form action="post_reply_parse.php" method="post">
                <p>Reply Content</p>
                <textarea name="reply_content" rows="5" cols="75"></textarea>
                <br /><br />
                <input type="hidden" name="cid" value="<?php echo $cid; ?>" />
                <input type="hidden" name="tid" value="<?php echo $tid; ?>" />
                <input type="submit" name="reply_submit" value="Post Reply" />
            </form>

        </div>

    </body>
</html>



 解决方案 
There are a few things wrong with your code.



Remove the quotes around 'now())'



change that to:
...'".$reply_content."', now())";

plus,



Missing an equal sign for last_user_posted'".$creator."'



change it to:
last_user_posted = '".$creator."'

and for topic_last_user'".$creator."'



change it to:
topic_last_user = '".$creator."'







Add error reporting to the top of your file(s), which is not present query code.
error_reporting(E_ALL);
ini_set('display_errors', 1);

which would have signaled errors in code.






SQL injection



Your present code is open to SQL injection because you are not escaping any data input.

Use mysqli with prepared statements, or PDO with prepared statements.






Sidenote: It appears as if you have spaces before your opening <?php tag in your form; you may be outputting before header.
    <?php
^^^^ // <= counts as output
session_start();
error_reporting(E_ALL ^ E_DEPRECATED);
if ((!isset($_SESSION['uid'])) || ($_GET['cid'] == " ")) {
    header("Location: index.php");
    exit();
}

If there are indeed spaces, remove them, they count as outputting before header.



Having error reporting ON for that file also, would have triggered a warning:

  
Warning: Cannot modify header information - headers already sent by...


As per documentation:

  
Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include, or require, functions, or another file access function, and have spaces or empty lines that are output before header() is called. The same problem exists when using a single PHP/HTML file.








Using error_reporting(E_ALL ^ E_DEPRECATED); isn't enough, you need to display them.
ini_set('display_errors', 1);



                        
这篇关于SQL语法错误,但字符不行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆