这个简单的 PHP SQL 语句有什么问题?
我想重新识别全名中包含“blo”的所有用户,例如:“Pablo”
我使用 user PHP 参数传递“blo”参数:
$q=mysql_query("select * From user Where fullName Like '%'".$_REQUEST['user']."'%'",$link );
php SQL 语句中出现问题,因为当我在 SQL 数据库上尝试带有参数“blo”的句子时,我发现 SQL 语句是正确的,因为它返回了正确的结果,这是带有参数“blo”的句子:select * From userWhere fullName Like "%blo%"
我确信PHP正确接收到了“blo”参数,那么,它一定是PHP上的SQL语句的语法错误... 。但我找不到它
编辑:好的!!最后一句已解决,但现在我有一个新的句子,有同样的问题,它有一个错误,但我不知道在哪里
$query = sprintf("SELECT u.*
FROM USER u
WHERE u.fullName LIKE '%%%s%%' AND email NOT IN (select pp.fk_email2 from permission pp where pp.fk_email1='".mysql_escape($_REQUEST['mymail'])."') AND email NOT LIKE '".mysql_escape($_REQUEST['mymail'])."' ",
mysql_real_escape_string($_REQUEST['user']));
i want to recober all the users with "blo" in their full name, for example: "Pablo"
I pass the "blo" parameter with user PHP parameter:
$q=mysql_query("select * From user Where fullName Like '%'".$_REQUEST['user']."'%'",$link );
something is wrong in the php SQL sentence, because when i try the sentence with the argument "blo" on my SQL database, i see that the SQL sentence is correct, because it returns me correct result, this is the sentence with the argument "blo" on it: select * From user Where fullName Like "%blo%"
i'm sure that the PHP is receiven the "blo" parameter correctly, then, it have to be a sintax error of the SQL sentence on the PHP.... but i can't find it
EDIT : OK!! the last sentence is solved, but now i have this new sentence with the same problem, it have a error but i dont know where
$query = sprintf("SELECT u.*
FROM USER u
WHERE u.fullName LIKE '%%%s%%' AND email NOT IN (select pp.fk_email2 from permission pp where pp.fk_email1='".mysql_escape($_REQUEST['mymail'])."') AND email NOT LIKE '".mysql_escape($_REQUEST['mymail'])."' ",
mysql_real_escape_string($_REQUEST['user']));
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
SQL 需要单引号来指示要比较的字符串,并且通配符 (%) 必须包含在这些单引号内。双引号仅用于列和表别名(如果有的话)。
其次,如果不清理用户请求变量,您将暴露于 SQL 注入攻击。在处理提交到 MySQL 数据库的字符串时,始终使用 mysql_real_escape_string。
SQL requires single quotes to indicate a string for comparison, and the wildcard character (%) must be included inside of those single quotes. Double quotes are used for column and table aliasing only, if at all.
Secondly, you're leaving yourself open to a SQL injection attack by not sanitizing the user request variable. Always use mysql_real_escape_string when dealing with strings being submitted to a MySQL database.
你把引号搞乱了。使用这个:
顺便说一句,这是不好的做法。您在查询中使用未转义的输入,并且对 SQL 注入持开放态度。
You have the quotes messed up. use this:
BTW, this is bad practice. You are using un-escaped input in your query and are open to SQL injection.
看起来你的引号被关闭了..尝试类似的东西...
另外,你需要确保传入的参数是sql转义的以防止sql注入。我不懂php,但它可能类似于......
It looks like your quotes are off.. try something like...
Also, you will want to make sure that the incoming param is sql-escaped to prevent sql injection. I don't know php, but it's probably something similar to...
我认为它一定是...全名如 '%" 。$_REQUEST['user']."%'"...
简单引号内包含 % 符号。
I think it must be ... Where fullname like '%" . $_REQUEST['user']."%'"...
with the % symbol inside the simple quotes.
@AndroidUser99:将查询更改为 -
更新
我认为我们可能需要更多代码,因为没有一个答案似乎“有效”。数据库链接是否在
$link中实例化?如果有错误,错误是什么?@AndroidUser99: Change the query to --
Update
I think we may need more code since none of the answers seem to be 'working'. Is the database link even being instantiated in
$link? If there are errors what are they?