1

无论我更改什么,我都会继续运行此代码并得到相同的错误。

require('common.php');
$charname = $_SESSION['user']['username'];
$query = "SELECT group, guild, username, class, level 
      FROM DD_users 
      WHERE username = '".$charname."'";
try
{
// These two statements run the query against your database table.
$stmt = $db->prepare($query);
$stmt->execute();
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code. 
die("Failed to run query: " . $ex->getMessage());
}

// Finally, we can retrieve all of the found rows into an array using fetchAll
$rows = $stmt->fetchAll();

//print_r($rows);
$group = $rows['0']['adminaccess'];
$guild = $rows['0']['guild'];
$username = $rows['0']['username'];
$class = $rows['0']['class'];
$level = $rows['0']['level'];

它返回此错误
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'group, guild, username, class, level FROM DD_users ' at line 1 显然我需要更多文本才能编辑此错误...

4

4 回答 4

5

你忘记了'字符:

$query = "SELECT group, guild, username, class, level 
          FROM DD_users 
          WHERE username = '".$charname."'";
于 2012-12-22T20:45:00.903 回答
4

试试这个:

$query = "SELECT group, guild, username, class, level FROM DD_users WHERE username = '".$charname."'";

注意额外的引号'。如果您查询字符串,则它们是必需的。

另外:group可能是保留关键字。您需要使用 `-style 引号或 .brackets 来逃避它[。试试哪个有效

于 2012-12-22T20:34:37.210 回答
3

注意 group 关键字是保留的,尝试将其括在反引号中 `

于 2012-12-22T20:35:24.913 回答
1

类似下面的内容可以为您省去使用单引号的麻烦——但更重要的是,它还可以保护您免受 SQL 注入攻击。您永远不想接受输入并将其直接推送到 SQL 查询字符串中。可怕的事情可能发生。

注意?查询字符串中的标记,以及通过调用$charname替换值的传递。这样做可以让底层库代码安全地将 $charname 引用到查询中。?execute(array($charname))

require('common.php');
$charname = $_SESSION['user']['username'];
$query = "SELECT `group`, guild, username, class, level 
          FROM DD_users 
          WHERE username = ?";
try
{
    // These two statements run the query against your database table.
    $stmt = $db->prepare($query);
    $stmt->execute(array($charname));
}
catch(PDOException $ex)
{
    // Note: On a production website, you should not output $ex->getMessage().
    // It may provide an attacker with helpful information about your code. 
    die("Failed to run query: " . $ex->getMessage());
}

// Finally, we can retrieve all of the found rows into an array using fetchAll
$rows = $stmt->fetchAll();

print_r($rows);
于 2012-12-22T21:03:21.930 回答