dongpan9760 2013-02-18 12:03
浏览 57
已采纳

PDO获取语句问题

I have the below PHP for my book keeping application. It uses PDO.

if (isset($_POST['lesson'])AND isset($_POST['page']))
{
   try {
      $options_pdo[PDO::ATTR_ERRMODE]=PDO::ERRMODE_EXCEPTION ;
      $DB= new PDO('mysql:host=localhost;dbname=mydb','jamie','admin',$options_pdo);
      $statement=$DB->query("SELECT data FROM teach_books where lesson=".$_POST['lesson']."AND page=".$_POST['page'] );

      while($results = $statement->fetch()){
         $results['data'];
         echo "<br>";
      }

   } catch(Exception $e) {
    die ('ERROR: '.$e->getMessage());
    exit;
  }

}

However when I run the code it displays the below error:

ERROR: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'page=dsas' at line 1

Could anybody help please?

  • 写回答

3条回答 默认 最新

  • dtpf76658 2013-02-18 12:06
    关注

    A couple of things:

    1) DO NOT INSERT RAW QUERY STRINGS:
     This code is extremely suseptable to SQL Injection. PDO has a feature called 'prepared statements'. This is waht you should be using for you SQL queries. Do not just inject some POST parameters into the query string as the result will be a security hole. The quotes you have accidentally inserted into the query may well have come from a malicious user trying a SQL attack.

    2) MISSING SPACE:
     You have a missing space right before the AND. The parser does not know what to make of the term 2AND and so produces the error. The SQL by iteslf expands to something like.

    SELECT data FROM teach_books where lesson=2AND page=24;

    3) MISSING QUOTE MARKS:
     If you were to use something like the above you will need to add some closing quote marks at the end of the query. You also need quotes around the string params that you give inside the select.

    4) ECHO DATA:
     You are not actually printing out anything in the loop. Simply having a statement sitting inside PHP will not print it out. You need echo command.

    echo $results['data'];

    5) ITERATE OVER OBJECT:
     You do not need to keep calling fetch(), you could use fetchAll() and then iterate over that result set. Really you should not call any "fetch" method unless you just need the rows in an array. The result set object is iterable and can be looped over.

    $statement->execute(); 
foreach ($statement as $row) { 
    ... 
}

    6) TRY-CATCH:
     You could probably remove the 'try-catch' code because what you are doing inside there is what the exception would do anyway.

    Additionally I hope 'admin' is not your actual password.

    Sorry to have kept adding to my answer. Just wanted to post the 6 points by themselves and then expand on them.

    Hope that helps

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥16 mybatis的代理对象无法通过@Autowired装填
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂
  • ¥15 wordpress 产品图片 GIF 没法显示
  • ¥15 求三国群英传pl国战时间的修改方法
  • ¥15 matlab代码代写,需写出详细代码,代价私
  • ¥15 ROS系统搭建请教(跨境电商用途)
  • ¥15 AIC3204的示例代码有吗,想用AIC3204测量血氧,找不到相关的代码。