drxp993551 2014-07-28 21:34
浏览 75
已采纳

PHP解析错误:sql语句的语法错误

What's wrong with my below lines of SQL statement in PHP which causes syntax/parse error. Very simple question but I really appreciate your answers.

$sql = "SELECT * FROM my_table WHERE column1 = '$_POST["my_value"]'";

following is the error: "Parse error: syntax error, unexpected '"', expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING)". I changed the code according to the error(changed " to ' in $_POST or removed it for example) but again received errors. Thanks in advance for the help.

  • 写回答

1条回答 默认 最新

  • doufan1363 2014-07-28 21:36
    关注

    The syntax you are using is indeed incorrect. Here are some options to fix the syntax:

    $sql .= " column1 = '$_POST[my_value]'";
$sql .= " column1 = '{$_POST["my_value"]}'";

    See the PHP documentation on string interpolation for more information.

    However, note that you would be wide open to a SQL injection attack with this code. What if the user enters the text ' AND column1 = (DELETE FROM other_table) AND '? Your query becomes:

    SELECT * FROM my_table WHERE column1 = ''
AND column1 = (DELETE FROM other_table)
AND ''

    This may or may not do anything on MySQL, but it shows you how a user would be allowed to inject their own SQL into your query, which could allow them to do very bad things. For further reading on this topic, see the following question: How can I prevent SQL-injection in PHP?

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 ML307A在使用AT命令连接EMQX平台的MQTT时被拒绝
  • ¥20 腾讯企业邮箱邮件可以恢复么
  • ¥15 有人知道怎么将自己的迁移策略布到edgecloudsim上使用吗?
  • ¥15 错误 LNK2001 无法解析的外部符号
  • ¥50 安装pyaudiokits失败
  • ¥15 计组这些题应该咋做呀
  • ¥60 更换迈创SOL6M4AE卡的时候,驱动要重新装才能使用,怎么解决?
  • ¥15 让node服务器有自动加载文件的功能
  • ¥15 jmeter脚本回放有的是对的有的是错的
  • ¥15 r语言蛋白组学相关问题