0

Whenever I visit the page I get: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

It has to do with the second while loop

<html>
<body>
<?php
mysql_connect("mysql.1freehosting.com", "u533288591_sdc", "mypass") or die(mysql_error());
mysql_select_db("u533288591_sdc");
$name = $_POST['name'];
$probably_needed = "questions";
$grade = $_POST['class'] ;
$answers ="answers" ;
$query = mysql_query("SELECT * FROM $probably_needed ") or die(mysql_error()); 
$otherquery = mysql_query("select * from $ANSWERS ") or die (mysql_error()) ;

while($row = mysql_fetch_array($query)){
echo "<a href=\"answer.php?name=" . $name .  "&subject=" . $row['Subject'] .  "&grade=" . $grade . "\">" . $row['Subject'] ."</a>" ;
    while($answerrow = mysql_fetch_array($otherquery)){
        if ($answerrow['name'] == $name){
            if ($answerrow['subject'] == $row['Subject']){
                echo "success" ;
                }
          }
      }

}
?>

</body>
</html>
4

4 回答 4

2

A. In php $answers is not $ANSWERS

Form PHP Doc

Variables in PHP are represented by a dollar sign followed by the name of the variable. The variable name is case-sensitive.

Try 

$answers ="answers" ;
mysqli_query($link,sprintf("Select * from %s",$answers));


B. From PHP Doc on mysql_query

Suggested alternative Use of this extension is discouraged. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information. Alternatives to this function include:

You should upgrade to mysqli or PDO


C. Due to XSS Injection flaw in your code you should use filter_var

What i think your code should look like 

$mysqli = new mysqli("mysql.1freehosting.com", "u533288591_sdc", "mypass", "u533288591_sdc");

$name = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
$grade = filter_var($_POST['class'],FILTER_SANITIZE_STRING);

$tableQuestion = "questions"; // not sure where this would come from
$tableAnswer = "answers";

$resultQuestion = $mysqli->query(sprintf("SELECT * FROM  `%s`", $tableQuestion));
$resultAnswer = $mysqli->query(sprintf("SELECT * FROM  `%s`", $tableAnswer));

$template = "<a href=\"answer.php?name=%s&subject=%s&grade=%s\">%s</a>";

while ( $rowQuestion = $resultQuestion->fetch_assoc() ) {
    printf($resultAnswer, $name, $rowQuestion['Subject'], $grade, $rowQuestion['Subject']);
    while ( $rowAnswer = $resultAnswer->fetch_assoc() ) {
        if ($rowAnswer['name'] == $name && $rowAnswer['subject'] == $rowQuestion['Subject']) {
            echo "success";
        }

    }
}
于 2012-09-30T15:46:39.527 回答
1

Variable names in PHP are case sensitive.

You define: $answers ="answers" ;

but use "select * from $ANSWERS "

$answers is not $ANSWERS

于 2012-09-30T15:47:12.850 回答
0

wrap your variables with backtick. lowercase your variable $ANSWERS

SELECT * FROM `$probably_needed` 
select * from `$answers`

PHP is case sensitive.

于 2012-09-30T15:44:55.267 回答
0

May be I mistake, but you should do so: 

$queryText1 = "SELECT * FROM " + $probably_needed;
$queryText1 = "SELECT * FROM " + $ANSWERS;
$query = mysql_query($queryText1) or die(mysql_error()); 
$otherquery = mysql_query($queryText1) or die (mysql_error()) ;

Other words, you should concatenate string and variable.

于 2012-09-30T15:47:46.320 回答