Postgres INSERT INTO 查询错误?
以下 Postgres 查询有什么问题?
INSERT INTO kayak.airports(name, x, y, city) VALUES( $name, $x, $y, $city)
WHERE airport_id='$airport_id
编辑(感谢唐尼帮助我取得进步): 我尝试过:
$query="UPDATE kayak.airports SET name=$name, x = $x, y = $y, city = $city
WHERE airports.airport_id='$airport_id'";
它说“列‘布里斯班’不存在”(布里斯班是第一个被插入的城市。)我取出了 SET 和 WHERE 之间除了“x=$x”之外的所有内容,并且这些都已成功插入。 “y=$y”也是如此。当只留下 name=$name 时,它会说
"Query failed: ERROR: syntax error at or near "International" LINE 1: UPDATE kayak .airports SET name=Brisbane International WHERE... ^"
What's wrong with the following Postgres query?
INSERT INTO kayak.airports(name, x, y, city) VALUES( $name, $x, $y, $city)
WHERE airport_id='$airport_id
EDIT (thanks Donnie for helping me make progress) :
I tried:
$query="UPDATE kayak.airports SET name=$name, x = $x, y = $y, city = $city
WHERE airports.airport_id='$airport_id'";
It said "column 'Brisbane' doesn't exist" (Brisbane is the first city to be inserted. ) I took out everything between SET and WHERE except for "x=$x" and those were successfully inserted. Ditto for "y=$y". When only leaving in name=$name it says
"Query failed: ERROR: syntax error at or near "International" LINE 1: UPDATE kayak .airports SET name=Brisbane International WHERE... ^"
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您的查询字符串未加引号。不要使用 PHP 变量插值来构建 SQL 查询,因为这会使您的脚本或应用程序容易受到 SQL 注入攻击。
相反,使用参数化查询。因此,上面的查询变成:
然后,您将使用参数化查询调用函数
pg_query_params传递所需参数:其中
$parameters是参数数组。另请注意,$query 字符串是单引号引起来的,因为 $n 占位符不用于插值。这可以防止任何错误(例如通过先敲一个字母来输入真实的变量名)并消除任何 SQL 注入的可能性。
Your query string is not quoted. Do not use PHP variable interpolation for building SQL queries, because this will leave your script or application vulnerable to an SQL injection attack.
Instead, use parameterized queries. Thus, your query above becomes:
Then, you will use the parameterized query calling function
pg_query_paramsto pass the required parameters:Where
$parametersis an array of parameters.Also note that the $query string is single-quoted, because the $n placeholders are not there for interpolation. This prevents any mistakes (such as typing a real variable name by bumping a letter first) and eliminates any possibility of SQL injection.
您正在尝试插入文字值。
where子句没有任何意义。对于
insert,您只能在insert ... select中使用where来限制select返回的内容。也许您确实想要
更新现有记录?You're attempting to insert literal values. A
whereclause makes no sense.For
insert, you can only usewherein aninsert ... selectto limit what theselectis returning.Perhaps you actually want to
updatean existing record?对我来说,如果我收到一个列不存在的错误,通常表明我错误地引用了某些内容(或根本没有引用)。
您尝试仅更新名称字段的错误消息证实了这一点:(
克拉应该直接指向查询中的问题区域。)
需要引用您在 UPDATE 语句中传递给名称字段的值,就像您传递给 airport_id 的值一样。 (我将大胆猜测 x 和 y 是整数,这不需要引号,这就是为什么当您尝试仅更新这些字段时不会收到错误。)(我将另一个大胆的猜测是,您传递给 city 的值也需要被引用,但您可能很快就会明白:))
最终结果扩展 UPDATE 应该如下所示:
For me, if I get an error that a column doesn't exist, it's usually a tipoff that I've quoted something incorrectly (or not at all).
This is borne out by the error message from your attempt to update only the name field:
(The carat should point right to the problem area in the query.)
The value you are passing to the name field in your UPDATE statement needs to be quoted, just like the value you're passing to airport_id. (I'm going to take a wild guess that x and y are integers, which wouldn't require quoting, which is why you don't get an error when you try to update just those field.) (I'm going to take another wild guess that the value you pass to city will need to be quoted too, but you will probably figure that out shortly. :) )
The end result expanded UPDATE should look something like this: