0

我收到以下错误:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'testing order by id'

这里是主页..

echo "<div ><a href='secondpage.php?title=".urlencode($row['title'])."'>".wordwrap($row['title'], 35, "<br />\n", true)."</a></div>";

这是出现错误的第二页。地址栏读取http://localhost/secondpage.php?title=more+testing

 <?php
   $mydb = new mysqli('localhost', 'root', '', 'test');
   $sql = "SELECT * FROM test where urlencode(title) =".$_GET['title']" order by id ";
     $result = $mydb->query($sql);
  if (!$result) {
  echo $mydb->error;
 }


 ?> 
 <div>
 <?php
 while( $row = $result->fetch_assoc() ){

 echo $row['firstname'];
 }
 $mydb->close ();
 ?>
 </div>
4

5 回答 5

1

You want to use urldecode to decode the encoded string in your query:

$title = urldecode($_GET['title']);
$sql = "SELECT * FROM test where title = '$title' order by id";

I'm assuming you have a column named title in your test table. I don't think MySQL has urlencode function unless you have a procedure by that name which functions exactly like PHP's urlencode.

Update:

Thanks to @GeorgeLund, who pointed out the point of SQL Injection. Important topic which I missed earlier during answering your question. Please have a look at: https://www.owasp.org/index.php/SQL_Injection

For the very least please update your code to following:

$title = urldecode($_GET['title']);
$title = mysqli_real_escape_string($title); // Addition
$sql = "SELECT * FROM test where title = '$title' order by id";
于 2013-08-09T04:27:06.863 回答
1
$sql = "SELECT * FROM test where urlencode(title) ='".$_GET['title']."' order by id ";
于 2013-08-09T04:30:01.360 回答
0

As far as I know SQL does not have function urlencode and why would you even want to urlencode the column name?

Also to store the encoded title string which is received from the last page you should decode the encoded title

So here is what I think you meant to do.

$sql = "SELECT * FROM test WHERE title = ".urldecode($_GET['title'])." order by id ";
于 2013-08-09T04:25:59.100 回答
0

试试喜欢

$sql = "SELECT * FROM test WHERE urlencode(title) = ".$_GET['title']." ORDER BY id ";

你错过.的线索语法消失了。

于 2013-08-09T04:19:56.767 回答
-1

请使用 urldecode 尝试此代码

$sql = "SELECT * FROM test where title =".urldecode($_GET['title'])" order by id ";
于 2013-08-09T04:24:22.157 回答