获取:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Creed III', description='The plot is set in a fictional history of real ' at line 2
尝试编辑数据库中的帖子时。
这是我的显示和编辑 php:
$result = mysql_query("SELECT * FROM gallery");
while ($row = mysql_fetch_array( $result )){
// while looping thru each record…
// output each field anyway you like
$title = $row['title'] ;
$description = $row['description'];
$year = $row['year'];
$rating = $row['rating'];
$genre = $row['genre'];
$filename = $row['filename'];
$imageid = $row['imageid'];
include '../modules/edit_display.html';
}
// STEP 2: IF Update button is pressed , THEN UPDATE DB with the changes posted
if(isset($_POST['submit'])){
$thisTitle = $_POST['title'];
$thisDescription = $_POST['description'];
$thisYear = $POST['year'];
$thisRating = $POST['rating'];
$thisGenre = $POST['genre'];
$thisNewFilename = basename($_FILES['file']['name']);
$thisOneToEdit = $_POST['imageid'];
$thisfilename = $_POST['filename'];
if ($thisNewFilename == ""){
$thisNewFilename = $thisfilename ;
} else {
uploadImage();
createThumb($thisNewFilename , 120, "../uploads/thumbs120/");
}
$sql = "UPDATE gallery SET
title='$thisTitle',
description='$thisDescription',
year='$thisYear',
rating='$thisRating',
genre='$thisGenre',
filename='$thisNewFilename'
WHERE
imageid= $thisOneToEdit";
$result = mysql_query($sql) or die (mysql_error());
}
最佳答案
由于使用了危险的用户输入模型,您即将遭受 SQL 注入(inject)攻击。
当您在 title
字段中键入“Assassin's Creed III”时,它会在您代码的 UPDATE
语句中用单引号括起来(通过 $ _POST['title']
变量):
'Assassin's Creed III'
问题在于 MySQL 将其视为 'Assassin'
,然后是 s Creed III'
。它不知道如何处理后者。
当然,如果此时有人输入有效 SQL,但不是您所期望的,这将成为一个巨大的问题。看看How can I prevent SQL injection in PHP?或任何其他关于避免 SQL 注入(inject)的建议。
关于php - SQL语法错误编辑贴,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/18735894/