MySQL 语法：您的 SQL 语法有错误…

发布于 2024-11-05 16:04:30 字数 817 浏览 6 评论 0原文

我从下面的代码中收到以下错误。

您的 SQL 语法有错误；检查与您的 MySQL 服务器版本对应的手册，了解在第 1 行 '@doe.com,username,5f4dcc3b5aa765d61d8327deb882cf99,09/05/2011 1:11:13 AM)' 附近使用的正确语法

$username = $_GET['username'];
$password = md5($_GET['password']);
$firstname = $_GET['firstname'];
$lastname = $_GET['lastname'];
$email = $_GET['email'];
$date = uk_date();
$conn = mysql_connect('localhost', 'myuser', 'mypass');
mysql_select_db('dbname');
$query = "INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES (". $firstname . ",". $lastname ."," . $email . "," . $username . "," . $password . "," . $date . ")";
$result = mysql_query($query) or die(mysql_error());
echo 'Success';
mysql_close($result);

让我知道我的问题是什么？我是 MySQL 和 PHP 的新手，所以请您解释一下我做错了什么，以供以后参考。

原文

I am receiving the following error from the code below.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@doe.com,username,5f4dcc3b5aa765d61d8327deb882cf99,09/05/2011 1:11:13 AM)' at line 1

$username = $_GET['username'];
$password = md5($_GET['password']);
$firstname = $_GET['firstname'];
$lastname = $_GET['lastname'];
$email = $_GET['email'];
$date = uk_date();
$conn = mysql_connect('localhost', 'myuser', 'mypass');
mysql_select_db('dbname');
$query = "INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES (". $firstname . ",". $lastname ."," . $email . "," . $username . "," . $password . "," . $date . ")";
$result = mysql_query($query) or die(mysql_error());
echo 'Success';
mysql_close($result);

Please could you let me know what my problem is? I am new to MySQL and PHP so please can you provide an explanation to what I have done wrong for later reference.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

逆蝶 2024-11-12 16:04:30

您还没有引用 INSERT 中的任何值，您应该说更多类似这样的内容：

$query = "INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES ('". $firstname . "','". $lastname ."','" . $email . "','" . $username . "','" . $password . "','" . $date . "')";

您还应该使用 mysql_real_escape_string 在所有这些变量上，以确保任何嵌入的引号等都被正确编码。

更好的版本是这样的：

$query = sprintf("INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES ('%s', '%s', '%s', '%s', '%s', '%s')",
    mysql_real_escape_string($firstname),
    mysql_real_escape_string($lastname),
    mysql_real_escape_string($email),
    mysql_real_escape_string($username),
    mysql_real_escape_string($password),
    mysql_real_escape_string($date));

您还应该听 BoltClock 并使用 PDO< /a> 和占位符，这样您就不必担心引号和转义太多。 PDO 还将使数据库切换变得更加容易。

You haven't quoted any of the values in your INSERT, you should be saying something more like this:

$query = "INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES ('". $firstname . "','". $lastname ."','" . $email . "','" . $username . "','" . $password . "','" . $date . "')";

You should also be using mysql_real_escape_string on all those variables to make sure that any embedded quotes and such are properly encoded.

A better version would be something like this:

$query = sprintf("INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES ('%s', '%s', '%s', '%s', '%s', '%s')",
    mysql_real_escape_string($firstname),
    mysql_real_escape_string($lastname),
    mysql_real_escape_string($email),
    mysql_real_escape_string($username),
    mysql_real_escape_string($password),
    mysql_real_escape_string($date));

You should also listen to BoltClock and use PDO and placeholders so you don't have to worry about your quotes and escaping so much. PDO will also make it easier to switch databases.

回复收藏 0 原文

迷鸟归林 2024-11-12 16:04:30

用户输入可能有单引号字符，因此是安全的在将其作为查询发送到数据库之前转义特殊字符，这将防止您的脚本受到 SQL 注入。

$query = "INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES ('$firstname', '$lastname', '$email','$username','$password', '$date')";

Probably user input have a single quote character, so it will be safe to escape special character before send it as query to database, this will prevent your script from sql injection.

$query = "INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES ('$firstname', '$lastname', '$email','$username','$password', '$date')";

回复收藏 0 原文

吃素的狼 2024-11-12 16:04:30

一旦您按照其他人的建议转义了变量，如果它们是字符串变量，则需要用引号将它们引起来：

mysql_select_db('dbname'); 
$query = "INSERT INTO accounts 
       (FirstName, LastName, Email, Username, Password, LastLoginDate) 
       VALUES ('". $firstname . "','". $lastname ."','" . $email . "','" .
       $username . "','" . $password . "','" . $date . "')"; 
$result = mysql_query($query) or die(mysql_error());
echo 'Success'; mysql_close($result);

在本例中，我添加了单引号。你现在不应该有任何错误

Once you have escaped your variables like suggested by other, you need to surround them with quotes if they are string varialbles :

mysql_select_db('dbname'); 
$query = "INSERT INTO accounts 
       (FirstName, LastName, Email, Username, Password, LastLoginDate) 
       VALUES ('". $firstname . "','". $lastname ."','" . $email . "','" .
       $username . "','" . $password . "','" . $date . "')"; 
$result = mysql_query($query) or die(mysql_error());
echo 'Success'; mysql_close($result);

In this case i added single quotes. you shouldnt have any errors now

回复收藏 0 原文

~没有更多了~