这个php脚本有什么问题？

发布于 2024-11-05 05:27:39 字数 263 浏览 8 评论 0原文

我在这一行中不断收到错误 1064：

$sqlquery = "INSERT INTO user 
               (username, password, email, key) 
             VALUES 
                ('".$_POST["username"]."','".$_POST["password"]."','".$_POST["email"]."','".$activation."')";`

原文

I keep getting error 1064 in this line:

$sqlquery = "INSERT INTO user 
               (username, password, email, key) 
             VALUES 
                ('".$_POST["username"]."','".$_POST["password"]."','".$_POST["email"]."','".$activation."')";`

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

忆沫 2024-11-12 05:27:39

key 是您在查询中使用的保留字，必须使用反引号进行转义。保留字错误为 1064。

您还应该考虑学习一些安全理论，特别是关于在查询中使用未转义值（直接来自用户）。

下面的代码既安全又固定：

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$email = mysql_real_escape_string($_POST['email']);
$sqlquery = "INSERT INTO `user` (`username`, `password`, `email`, `key`) VALUES ('{$username}','{$password}','{$email}','{$activation}')";

涉及查询（好吧，任何事情）时的一个简单规则是永远不要信任用户输入。通过使用 mysql_real_escape_string ，您可以转义变量，以便将它们安全地插入到数据库中。如果没有它，您可以允许用户运行他们想要的任何查询。

为了供将来参考，这里有一个MySQL 保留字的完整列表。

key is a reserved word which you're using in your query, this must be escaped with backticks. Reserved word error is 1064.

You should also consider learning some security theory particularly with regards to using unescaped values in a query (straight from a user).

The below code is both secure and fixed:

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$email = mysql_real_escape_string($_POST['email']);
$sqlquery = "INSERT INTO `user` (`username`, `password`, `email`, `key`) VALUES ('{$username}','{$password}','{$email}','{$activation}')";

A simple rule when it comes to queries (well, anything) is to never trust user input. By using mysql_real_escape_string you're escaping the variables so that they're safe for insertion into the database. Without it, you could allow the user to run any query that they wanted to.

For future reference, here is a complete list of MySQL Reserved Words.

回复收藏 0 原文

小巷里的女流氓 2024-11-12 05:27:39

MySQL错误1064通常意味着SQL语法错误。查看您的 SQL 语句以确保其有效。

调试此类错误的一个好方法是打印出 SQL，然后尝试在 MySQL 中手动执行它。

回复收藏 0 原文

蓝咒 2024-11-12 05:27:39

如果你改用这个，你还会得到错误吗：

$query = sprintf("INSERT INTO user 
                    (username, password, email, `key`) 
                  VALUES 
                    ('%s','%s','%s','%s')",
                  mysql_real_escape_string($_POST["username"]),
                  mysql_real_escape_string($_POST["password"]),
                  mysql_real_escape_string($_POST["email"]),
                  mysql_real_escape_string($_POST["activation"]));

$result = mysql_query($query);

KEY is a MySQL保留字——它需要用反引号括起来以避免在查询中使用。如果不使用保留字，则不需要反引号......

Do you still get errors if you use this instead:

$query = sprintf("INSERT INTO user 
                    (username, password, email, `key`) 
                  VALUES 
                    ('%s','%s','%s','%s')",
                  mysql_real_escape_string($_POST["username"]),
                  mysql_real_escape_string($_POST["password"]),
                  mysql_real_escape_string($_POST["email"]),
                  mysql_real_escape_string($_POST["activation"]));

$result = mysql_query($query);

KEY is a MySQL reserved word -- it needs to be enclosed in backticks to escape its use in queries. Backticks are not necessary if not using reserved words...

回复收藏 0 原文