-2

我收到以下错误消息,显然我的代码语法有问题,但我不确定它是什么。如果我将 $data 更改为“pie”之类的简单内容,它将更新。似乎是序列化字符串的错误?

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' . DB_PFIX . 'settings SET setting_options = 'a:12:{s:13:"website_title"' at line 2

代码:

<?php

if( !empty( $_POST['submit'] ) ) {
    $data = serialize( array(
        'website_title' => $_POST['website_title'],
        'website_slogan' => $_POST['website_slogan'],
        'website_theme' => $_POST['website_theme'],
        'website_homepage' => $_POST['website_homepage'],
        'website_description' => $_POST['website_description'],
        'website_keywords' => $_POST['website_keywords'],
        'website_language' => $_POST['website_language'],
        'website_timezone' => $_POST['website_timezone'],
        'website_date_format' => $_POST['website_date_format'],
        'website_time_format' => $_POST['website_time_format'],
        'website_url' => $option['website_url'],
        'website_path' => $option['website_path']
    ));

    $query = '
        UPDATE
            ' . DB_PFIX . 'settings
        SET
            setting_options = "' . $data . '"
        WHERE
            setting_name = "' . $setting_name . '"
    ';

    $result = mysqli_query( $db_connect, $query );

    if ( mysqli_affected_rows( $db_connect ) == 1 ) {
        echo "GOOD!";
    } else {
        echo mysqli_error( $db_connect );
    }
}

?>
4

3 回答 3

2

您不能将序列化的字符串放入数据库而不进行转义。转义您的数据或使用准备好的语句。

快速解决:

$data = mysqli_real_escape_string($data);

真正的修复:使用准备好的语句

于 2013-08-07T22:14:42.480 回答
0

添加mysqli_real_escape_string 怎么样:

mysqli_real_escape_string($data)

mysqli_real_escape_string($settings_name);
于 2013-08-07T22:19:19.920 回答
0

不知何故,查询字符串没有被正确解释。常量表达式DB_PFIX不应该通过其名称可见,而是通过其在语句中的值可见!$query通过在页面上回显变量来仔细检查变量。

于 2013-08-07T22:14:09.980 回答