dongpan9760 2013-02-18 12:03
浏览 57
已采纳

PDO获取语句问题

I have the below PHP for my book keeping application. It uses PDO.

if (isset($_POST['lesson'])AND isset($_POST['page']))
{
   try {
      $options_pdo[PDO::ATTR_ERRMODE]=PDO::ERRMODE_EXCEPTION ;
      $DB= new PDO('mysql:host=localhost;dbname=mydb','jamie','admin',$options_pdo);
      $statement=$DB->query("SELECT data FROM teach_books where lesson=".$_POST['lesson']."AND page=".$_POST['page'] );

      while($results = $statement->fetch()){
         $results['data'];
         echo "<br>";
      }

   } catch(Exception $e) {
    die ('ERROR: '.$e->getMessage());
    exit;
  }

}

However when I run the code it displays the below error:

ERROR: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'page=dsas' at line 1

Could anybody help please?

  • 写回答

3条回答 默认 最新

  • dtpf76658 2013-02-18 12:06
    关注

    A couple of things:

    1) DO NOT INSERT RAW QUERY STRINGS:
     This code is extremely suseptable to SQL Injection. PDO has a feature called 'prepared statements'. This is waht you should be using for you SQL queries. Do not just inject some POST parameters into the query string as the result will be a security hole. The quotes you have accidentally inserted into the query may well have come from a malicious user trying a SQL attack.

    2) MISSING SPACE:
     You have a missing space right before the AND. The parser does not know what to make of the term 2AND and so produces the error. The SQL by iteslf expands to something like.

    SELECT data FROM teach_books where lesson=2AND page=24;

    3) MISSING QUOTE MARKS:
     If you were to use something like the above you will need to add some closing quote marks at the end of the query. You also need quotes around the string params that you give inside the select.

    4) ECHO DATA:
     You are not actually printing out anything in the loop. Simply having a statement sitting inside PHP will not print it out. You need echo command.

    echo $results['data'];

    5) ITERATE OVER OBJECT:
     You do not need to keep calling fetch(), you could use fetchAll() and then iterate over that result set. Really you should not call any "fetch" method unless you just need the rows in an array. The result set object is iterable and can be looped over.

    $statement->execute(); 
foreach ($statement as $row) { 
    ... 
}

    6) TRY-CATCH:
     You could probably remove the 'try-catch' code because what you are doing inside there is what the exception would do anyway.

    Additionally I hope 'admin' is not your actual password.

    Sorry to have kept adding to my answer. Just wanted to post the 6 points by themselves and then expand on them.

    Hope that helps

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图
  • ¥15 stm32开发clion时遇到的编译问题