php - 错误：您的 SQL 语法在第 1 行的 '' 附近有错误

Question

我不断收到此错误...但是我看不到任何不合适的语法...有什么想法吗？这是我的 PHP 代码。我知道我的其他页面是正确的，因为我可以毫无问题地运行代码的所有其他部分。

<?php 

// this connects To database
$hostname="";    
$username="";   
$password="";    
$dbname="";     

mysql_connect($hostname,$username,$password) OR DIE ("Connection Failed");
mysql_select_db($dbname);


$action = $_REQUEST["action"];
if ($action == 'a') {
$custFirst = null;
$custLast = null;
$custAddress = null;
$custCity = null;   
$custState = null;
$custZip = null;
$custEmail = null;
$custPhone = null;
 } else {
$id = $_REQUEST["id"];
    $query = "select * from custTab where custNo = $id";
    $result = mysql_query($query) 
        or die(mysql_error());
    $row = mysql_fetch_array($result);
    $custFirst = $row['custFirst'];  
    $custLast = $row['custLast'];  
    $custAddress = $row['custAddress'];  
    $custCity = $row['custCity'];
    $custState = $row['custState'];
    $custZip = $row['custZip'];
    $custEmail = $row['custEmail'];
    $custPhone = $row['custPhone'];
} // end if

?>

Answer 1

尝试quotes将$id,

$query = "select * from custTab where custNo = '$id'";

Answer 2

根据custNo字段包含的内容，这是危险和错误的：

$id = $_REQUEST["id"];
$query = "select * from custTab where custNo = $id";

如果 id 是整数，则应使用：

$id = (int) $_REQUEST["id"];
$query = "select * from custTab where custNo = $id";

否则，您将不得不引用它并转义变量：

$id = mysql_real_escape_string($_REQUEST["id"]);
$query = "select * from custTab where custNo = '$id'";

但是你真的应该切换到 PDO / mysqli 和准备好的语句来完全避免这个问题。