php - 调试MYSQL语法错误

Question

以下是我网站上的“忘记密码”脚本。我有一个 MYSQL 表，用于存储用户的电子邮件地址。它称为“成员”，有两列:“用户”(用户的电子邮件地址)和“通行证”(他们的密码)。

电子邮件地址 adamjwilkins1604@gmail.com 存在于成员表中。当我在忘记密码表单中输入此电子邮件地址时，出现此错误。我在调试这个问题时遇到了很多麻烦。

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@gmail.com' at line 1

忘记密码脚本:

<?php // forgot_password.php
include_once 'header.php';

if (isset($_POST['submitted']))
    { // Handle the form.
    if (empty($_POST['email'])) 
        {
        $uid = FALSE;
        echo 'You forgot to enter your registered email address!';    
        }
        else 
            {
            // Check for the existence of the inputted email address.
            $email = trim(sanitizeString($_POST['email']));
            $result = queryMysql("SELECT user FROM members WHERE user='$email'");
                if (mysql_num_rows($result) == 1)
                    {
                    // Retrieve the user's email address
                    list($uid) = mysql_fetch_array ($result, MYSQL_NUM);
                    }
                    else 
                        {
                        echo '<p><font color="red" size="+1">The submitted email address does not match those on file!</font></p>';
                        $uid = FALSE;
                        }
            }

        if ($uid)
            {
            $p = substr(md5(uniqid(rand(),1)),3,10);
            $result = queryMysql("UPDATE members SET pass=SHA('$p') WHERE user = $uid");
            if (mysql_affected_rows() == 1) 
                {
                // If it ran OK, send an email.
                $email = trim(sanitizeString($_POST['email']));
                $body = "Your password has been temporarily changed to '$p'. Please log in using this password and your username.";
                mail ($email, 'Your temporary password.', $body, 'From: admin@mywebsite.com');
                echo '<h3>Your password has been changed. You will receive the new, temporary password at the email address with which you registered. Once you have logged in with this password, you may change it by clicking on the "change password" link.</h3>';
                mysql_close(); // Close the database connection.
                }
                else
                    {
                    // If it did not run OK.
                    echo '<p><font color="red" size="+1">Your password could not be changed due to a system error. We apologize for any inconvenience.</font></p>';
                    }
            }
                else // Failed the validation test.
                    {
                    echo '<p><font color="red" size="+1">Please try again.</font></p>';
                    }
    } // End of the main Submit conditional.
?>

<h1>Reset Your Password</h1>
<p>Enter your email address below and your password will be reset.</p>
<form action="forgot_password.php" method="post">
<fieldset>
<p><b>Your registered email address:</b> <input type="text" name="email" size="20" maxlength="40" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /></p>
</fieldset>
<div align="center"><input type="submit" name="submit" value="Reset My Password" /></div>
<input type="hidden" name="submitted" value="TRUE" />
</form>
</div>

Answer 1

您忘记在 UPDATE 语句中引用 $uid。而且你也忘记了逃避它。