神秘的mysql错误
我对 mysql 毫无经验,并且在这行代码中不断收到错误:
$sql= "INSERT INTO songs (unique_show_id, artist, date, year, city, state, venue, taper, transfered_by, source, mic_loc, lineage, uploaded_by, uploaded_on, show_notes, show_xml)
VALUES('$showId', '$artist', '$showDate', '$year, '$city', '$state', '$venue', '$taper', '$transferer', '$source', '$mic_loc', '$lineage', '$uploader', NOW(), '$show_notes', '$show_xml')";
//check to see if the query went through
if (!mysql_query($sql,$con)){
echo "query fail";
die('Error: ' . mysql_error());
}
我确信这很简单,但我看不出错误在哪里。我收到的错误消息是:
query failError: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ipuhgbi', 'CA', '', '', '', '', '', '', 'danwoods', NOW(), '', '<show id=\'gm198' at line 2
我插入的一些值是 NULL,但从我读到的内容来看,我认为这不应该是一个问题。有什么想法吗?
I'm by no means experienced in mysql and keep getting an error in this lines of code:
$sql= "INSERT INTO songs (unique_show_id, artist, date, year, city, state, venue, taper, transfered_by, source, mic_loc, lineage, uploaded_by, uploaded_on, show_notes, show_xml)
VALUES('$showId', '$artist', '$showDate', '$year, '$city', '$state', '$venue', '$taper', '$transferer', '$source', '$mic_loc', '$lineage', '$uploader', NOW(), '$show_notes', '$show_xml')";
//check to see if the query went through
if (!mysql_query($sql,$con)){
echo "query fail";
die('Error: ' . mysql_error());
}
I'm sure it's something simplistic, but I can't see where the error is. The error message I get is:
query failError: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ipuhgbi', 'CA', '', '', '', '', '', '', 'danwoods', NOW(), '', '<show id=\'gm198' at line 2
Some of the values I'm inserting are NULL, but from what I've read I don't think that should be a problem. Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
您需要使用
mysql_real_escape_string()< /code>在每一个 $ 变量中。此外,仔细阅读此 StackOverflow 问题有关 SQL 注入的内容。
You need to use
mysql_real_escape_string()in each and every single one of your $variables.Also, read this StackOverflow question carefully regarding SQL Injections.
看起来错误行上的最后一个单引号没有转义。
您需要记住清理进入查询的所有字符串。
It looks like the last single quote on the error line is not escaped.
you need to remember to sanitize all of the strings going into the query.
您需要确定的事情很少:
对数字使用 intval,对字符串使用 mysql_real_escaps_string 以避免注入问题以及单引号查询错误。
insert into table set field='field_value', field2='field_value' // 等等
There are quite few things you need to be sure about:
Use intval for numbers and mysql_real_escaps_string for strings to avoid injections issues as well as single quotes query erros.
insert into table set field='field_value', field2='field_value' // and so on
$year之后缺少引号。当 MySQL 发出此类错误(靠近 bla di bla)时,该错误通常紧接在它提到的字符串之前。在本例中,“ipuhgbi”映射到 $city,因此您知道它就在“$city”之前,我们在那里看到了什么?瞧,缺少引用。
Missing quote after
$year.When MySQL issues such an error (near bla di bla), the error is usually immediately before the string it mentions. In this case 'ipuhgbi' maps to $city, so you know it's right before '$city', and what do we see there? Voila, a missing quote.