0

我看了又看,主要是在带有多个表的 UPDATE 上。一两次我专门搜索了 5 张桌子。这些示例大多只显示两个表。

当我运行下面的代码时,我收到以下消息:更新 memret 1:您的 SQL 语法有错误;检查与您的 MySQL 服务器版本相对应的手册,以获取在 '(M.first = test, M.last = 9, M.address1 = 999 林地, M.zip = 21122, M.emai' 行附近使用的正确语法5 根据我的研究,这发生在很多人身上。我已经多次切换代码。这是我最近一次尝试可能会飞的东西,但它崩溃并显示与上述相同的消息。

下面的代码后面是 mysql db 记录。

请帮忙!

$sql = "UPDATE membership AS M
        LEFT JOIN address2 AS A2 ON M.memno1 = A2.memno2
      LEFT JOIN contact AS Con ON M.memno1 = Con.memno3
        LEFT JOIN workers AS W ON M.memno1 = W.memno4
      LEFT JOIN comments AS Com ON M.memno1 = Com.memno5";
$sql.=" SET (M.first = $first, M.last = $last, M.address1 = $address1,";               
$sql.=" M.zip = $zip, M.email = $email, M.password = $password,";
$sql.=" M.secq = $secq,M.seca = $seca,";
$sql.=" A2.address2 = $address2,";
$sql.=" Con.home = $home, Con.cell = $cell, Con.work = $work,";
$sql.=" W.webhelp = $webhelp, W.locorg = $locorg, W.candasst = $candasst,";
$sql.=" W.loccam = $loccam, W.other = $other, W.otherexp = $otherexp,";
$sql.=" Com.comment = $comment) WHERE memno1=$memno";
$result = mysql_query($sql) or die("update for memret 1: ".mysql_error());

memno1 首末地址 1 zip 电子邮件密码 secq seca memno2 地址2 memno3 家庭单元工作 memno4 webhelp locorg candasst loccam other otherexp memno5 评论 memno6 办公室首末地址1 address2 zip 9 测试九 999 林地 21122 tn9@aol.com tn9999 房屋残骸 9 转储 9 1232224444 3335566 2223335555 9 是 是 首席执行官 9 测试新方面

4

1 回答 1

1

这是一个SQL 注入。如果我正确阅读了错误消息, SQL$address1解析器"999 woodland"将不会正确处理。

停止将原始变量替换为查询字符串。(并且也停止使用mysql_*函数。它们已被弃用。)准备好的语句在这里会有很长的路要走。

// assumes an existing PDO database connection in $conn
// requires exception-handling code (PDOException)
// requires you to check that e.g. integer fields will be updated with integers
$sql = "UPDATE membership AS M
  LEFT JOIN address2 AS A2 ON M.memno1 = A2.memno2
  LEFT JOIN contact AS Con ON M.memno1 = Con.memno3
  LEFT JOIN workers AS W ON M.memno1 = W.memno4
  LEFT JOIN comments AS Com ON M.memno1 = Com.memno5
  SET (M.first = :first, M.last = :last, M.address1 = :address1,
       M.zip = :zip, M.email = :email, M.password = :password,
       M.secq = :secq, M.seca = :seca,
       A2.address2 = :address2,
       Con.home = :home, Con.cell = :cell, Con.work = :work,
       W.webhelp = :webhelp, W.locorg = :locorg, W.candasst = :candasst,
       W.loccam = :loccam, W.other = :other, W.otherexp = :otherexp,
       Com.comment = :comment) WHERE memno1 = :memno";
$query = $conn->prepare($sql);
$params = array(":first" => $first, ":last" => $last, ":address1" => $address1,
                ":zip" => $zip, ":email" => $email, ":password" => $password,
                ":secq" => $secq, ":seca" => $seca,
                ":address2" => $address2,
                ":home" => $home, ":cell" => $cell, ":work" => $work,
                ":webhelp" => $webhelp, ":locorg" => $locorg,
                ":candasst" => $candasst,
                ":loccam" => $loccam, ":other" => $other,
                ":otherexp" => $otherexp,
                ":comment" => $comment, ":memno" => $memno);
$did_we_succeed = $query->execute($params);
于 2013-05-16T22:17:31.040 回答