-3

我有以下 PHP 代码:

function get_all_labels_by_language_id($language_code, $page_index, $user_id) {
    $language_id = $this->get_language_id($language_code);
    $users_query = "select  eng.label_value, loc.votes, loc.user_id, loc.approved, eng.language_value,       
            coalesce(loc.language_value)
            from    labels eng
            left outer join    
                labels loc
            on      loc.language = " . $language_id . "
            and eng.label_value = loc.label_value
            and loc.user_id = '" . $user_id . "'
            where   eng.language = 45
            order by loc.language_value";
    $data = $this->db->query($users_query)->result_array();
    $result = array();
    for ($i = 0; $i < count($data); $i++) {
        $result[$i]['language_id'] = $language_id;
        if (!$data[$i]['user_id']) {
            $result[$i]['translate'] = $data[$i];
            $result[$i]['alternatives'] = NULL;

            $other_records_query = "select  eng.label_value, loc.votes, loc.user_id, loc.approved, eng.language_value,       
                coalesce(loc.language_value)
                from    labels eng
            left outer join    
                labels loc
            on      loc.language = " . $language_id . "
            and eng.label_value = loc.label_value
            where   eng.language = 45 and loc.label_value='" . $data[$i]['label_value'] . "'
            order by loc.language_value";
            $other_records = $this->db->query($other_records_query)->result_array();
            for ($k = 0; $k < count($other_records); $k++) {
                if ($other_records[$k]['approved'] == '1') {
                    $result[$i]['translate'] = $other_records[$k];
                } else {
                    $result[$i]['alternatives'][] = $other_records[$k];
                }
            }
        } else {
            $result[$i]['translate'] = $data[$i];
            $result[$i]['alternatives'] = NULL;
            if ($data[$i]['approved'] == '1') {
                $other_records_query = "select  eng.label_value, loc.votes, loc.user_id, loc.approved, eng.language_value,       
                coalesce(loc.language_value)
                from    labels eng
            left outer join    
                labels loc
            on      loc.language = " . $language_id . "
                    and eng.label_value = loc.label_value
                    and loc.approved='1'
            where   eng.language = 45 and loc.label_value='" . $data[$i]['label_value'] . "'
            and approved='0' order by loc.language_value";
                $other_records = $this->db->query($other_records_query)->result_array();
                for ($k = 0; $k < count($other_records); $k++) {
                    $result[$i]['alternatives'][] = $other_records[$k];
                }
            } else {
                $other_records_query = "select  eng.label_value, loc.votes, loc.user_id, loc.approved, eng.language_value,       
                coalesce(loc.language_value)
                from    labels eng
            left outer join    
                labels loc
            on      loc.language = " . $language_id . "
                    and eng.label_value = loc.label_value
                    and loc.approved='1'
            where   eng.language = 45 and loc.label_value='" . $data[$i]['label_value'] . "'
            order by loc.language_value";
                $other_records = $this->db->query($other_records_query)->result_array();
                for ($k = 0; $k < count($other_records); $k++) {
                    $result[$i]['alternatives'][] = $other_records[$k];
                }
            }
        }
    }

此代码工作正常,但现在我收到以下错误:

错误号:1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 't set up correctly. If you're the store owner, please refer to' ' at line 8

select eng.label_value, loc.votes, loc.user_id, loc.approved, eng.language_value, coalesce(loc.language_value) from labels eng left outer join labels loc on loc.language = 24 and eng.label_value = loc.label_value where eng.language = 45 and loc.label_value='It looks like the payment gateway isn't set up correctly. If you're the store owner, please refer to' order by loc.language_value

Filename: Z:\home\localhost\www\system\database\DB_driver.php

Line Number: 330

请告诉我,我该如何解决?我不明白我错在哪里。先感谢您。

4

3 回答 3

1

您没有转义要传递给 column 的字符串label_value。它包含破坏查询的字符。

更新

这看起来像 CodeIgniter 所以你应该使用:

$this->db->escape();

这是手册

http://codeigniter.com/user_guide/database/queries.html

于 2012-07-18T12:27:01.670 回答
0

你应该'在你的字符串文字中转义

'It looks like the payment gateway isn\'t set up correctly. If you\'re the store owner, please refer to'

mysql_real_escape_string是你的朋友。

于 2012-07-18T12:26:58.303 回答
0

您正在使用未转义的字符串构建 SQL - 当其中一个字符串包含引号时,您就死定了。死我的意思是:如果这是一个用户提供的值,你只是失去了对你的数据库的控制(谷歌的“SQL注入”)。

您必须转义所有未知的字符串 - 使用哪种方法取决于您使用的数据库框架:它将提供转义功能。

于 2012-07-18T12:36:21.367 回答