MySQL的語法錯誤

Question

<form action="editauthor.php" method="post"> 
    <label>Author Name:</label> 
    <input type="text" name="txtUser" value="<?=$name;?>" /><br /><br /> 
    <label>Email:</label> 
    <input type="text" name="txtEmail" value="<?=$email;?>" /><br /><br /> 
    <input type="hidden" name="id" value="<?=$id?>" /> <!-- use hidden to hide id for using, but not display, here id is not important --> 
    <input type="submit" value="Edit" name="submit" /> 
</form> 
<?php 
    if(isset($_POST['submit'])) { 
    $con = @mysql_connect("localhost","root",""); 
    mysql_select_db("jokes",$con); 

    $name = $_POST['txtUser']; 
    $email = $_POST['txtEmail']; 

    $sql = "UPDATE authors 
       SET name = '".$_POST['txtUser']."', 
        email = '".$_POST['txtEmail']."' 
      WHERE id = ".$_GET['id']""; 

    $result = @mysql_query($sql, $con) or die(mysql_error()); 
    if($result) { 
     echo "New Author has been edited successfully!"; 
    } else { 
     echo "Cannot update this kind of author into the database. ".mysql_error(); 
    } 
    } ?> 

...它產生以下錯誤：

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

Answer 1

你缺少點這裏WHERE id = ".$_GET['id']"";

Answer 2

在SQL語句結尾擺脫兩個引號

$sql = "UPDATE authors SET name = '".$_POST['txtUser']."', email = '".$_POST['txtEmail']."' WHERE id = ".$_GET['id']; 

Answer 3

正確的答案已經發布，但讓我給你一些建議。

在未來，嘗試這樣做：

$result = @mysql_query($sql, $con) or die($sql.'<hr>'.mysql_error()); 

那麼你可以隨時看到mysql的一句話給你的問題。如果你不知道爲什麼它會打擾你，請複製粘貼它，然後在你的phpMyAdmin中試用它。

祝您好運與您的項目：]

Answer 4

問題是，你正在使用$ _GET [「身份證」]，你的ID不是_GET方法及其在$ _ POST，所以您的查詢就會有這樣的事情

其中id = 後「=」因爲沒有價值$ _GET [「身份證」] 只是將其更改爲$ _ POST

Answer 5

<?php 
    if(!empty($_POST)) 
    { 
     $con = @mysql_connect("localhost","root",""); 
     mysql_select_db("jokes",$con); 

     $name = $_POST['txtUser']; 
     $email = $_POST['txtEmail']; 
     $sql = "UPDATE authors SET name = '" . $_POST['txtUser'] . "', email = '" . $_POST['txtEmail'] . "' WHERE id = '" . $_GET['id'] ."'"; 

     $result = @mysql_query($sql, $con) or die(mysql_error()); 

     if($result) 
     { 
      echo "New Author has been edited successfully!"; 
     } 
     else 
     { 
      echo "Cannot update this kind of author into the database. " . mysql_error(); 
     } 

    } 
    else 
    { 
     $name = ''; 
     $email = ''; 
     $id = ''; 
    } 
?> 

<form action="./editauthor.php" method="post"> 
    <label>Author Name:</label> 
    <input type="text" name="txtUser" value="<?= $name ?>" /><br /><br /> 
    <label>Email:</label> 
    <input type="text" name="txtEmail" value="<?= $email ?>" /><br /><br /> 
    <input type="hidden" name="id" value="<?= $id ?>" /> <!-- use hidden to hide id for using, but not display, here id is not important --> 
    <input type="submit" value="Edit" name="submit" /> 
</form> 

Answer 6

最有可能的是造成了'一個語法錯誤，沒有價值在txtUser或txtEmail字段。你的代碼容易受到SQL注入攻擊，現在注入「攻擊」只是導致語法錯誤。

例如Miles O'Brien填寫表單，讓您的查詢就會變成：

UPDATE authors 
... 
WHERE name='Miles O'Brien' 
        ^---syntax error here 

您真的需要去拜訪http://www.bobby-tables.com，然後rejigger你的代碼看起來像這樣：

  SET name = '" . mysql_real_escape_string($_POST['txtUser']) . "', 
       email = '" . mysql_real_escape_string($_POST['txtEmail']) . "' 

Answer 7

用途：

$sql = sprintf("UPDATE AUTHORS 
        SET name = '%s', 
         email = '%s' 
       WHERE id = %d ", 
       mysql_real_escape_string($_POST['txtUser']), 
       mysql_real_escape_string($_POST['txtEmail']), 
       mysql_real_escape_string($_POST['id'])); 

它會保護你免受SQL injection attacks，並糾正你用來獲得身份證的方法 - 表格是pos噸，只有一個請求將被提出。