0

I am making a simple cms for managing someones site , although when I try the to modify the access level of the user account , it gives a mysql sytax error:-

'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE user_id = 2' at line 5'

Programme has 3 levels of users , 1 = user, 2 = moderator , 3 = administrator.

Here is my code:

<?php
require_once 'db.inc.php';
require_once 'cms_http_functions.inc.php';

$db = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD) or
    die ('Unable to connect. Check your connection parameters.');

mysql_select_db(MYSQL_DB, $db) or die(mysql_error($db));

if (isset($_REQUEST['action'])) {

    switch ($_REQUEST['action']) {
    case 'Login':
        $email = (isset($_POST['email'])) ? $_POST['email'] : '';
        $password = (isset($_POST['password'])) ? $_POST['password'] : '';
        $sql = 'SELECT
                user_id, access_level, name
            FROM
                cms_users
            WHERE
                email = "' . mysql_real_escape_string($email, $db) . '" AND
                password = PASSWORD("' . mysql_real_escape_string($password,
                    $db) . '")';
        $result = mysql_query($sql, $db) or die(mysql_error($db));
            if (mysql_num_rows($result) > 0) {
            $row = mysql_fetch_array($result);
            extract($row);
            session_start();
            $_SESSION['user_id'] = $user_id;
            $_SESSION['access_level'] = $access_level;
            $_SESSION['name'] = $name;
        }
        mysql_free_result($result);
        redirect('cms_index.php');
        break;

    case 'Logout':
        session_start();
        session_unset();
        session_destroy();
        redirect('cms_index.php');
        break;

    case 'Create Account':
        $name = (isset($_POST['name'])) ? $_POST['name'] : '';
        $email = (isset($_POST['email'])) ? $_POST['email'] : '';
        $password_1 = (isset($_POST['password_1'])) ? $_POST['password_1'] : '';
        $password_2 = (isset($_POST['password_2'])) ? $_POST['password_2'] : '';
        $password = ($password_1 == $password_2) ? $password_1 : '';
        if (!empty($name) && !empty($email) && !empty($password)) {
            $sql = 'INSERT INTO cms_users
                    (email, password, name)
                VALUES
                ("' . mysql_real_escape_string($email, $db) . '",
                PASSWORD("' . mysql_real_escape_string($password, $db) . '"), 
                "' . mysql_real_escape_string($name, $db) . '")';
            mysql_query($sql, $db) or die(mysql_error($db));

            session_start();
            $_SESSION['user_id'] = mysql_insert_id($db);
            $_SESSION['access_level'] = 1;
            $_SESSION['name'] = $name;
        }
         redirect('cms_index.php');
        break;
    enter code here
    case 'Modify Account':
        $user_id = (isset($_POST['user_id'])) ? $_POST['user_id'] : '';
        $email = (isset($_POST['email'])) ? $_POST['email'] : '';
        $name = (isset($_POST['name'])) ? $_POST['name'] : '';
        $access_level = (isset($_POST['access_level'])) ? $_POST['access_level']
            : '';
        if (!empty($user_id) && !empty($name) && !empty($email) &&
             !empty($access_level) && !empty($user_id)) {
            $sql = 'UPDATE cms_users SET
                    email = "' . mysql_real_escape_string($email, $db) . '",
                    name = "' . mysql_real_escape_string($name, $db) . '",
                    access_level = "' . mysql_real_escape_string($access_level,
                        $db) . '",
                WHERE
                    user_id = ' . $user_id;
            mysql_query($sql, $db) or die(mysql_error($db));
        }
        redirect('cms_admin.php');
        break;

    case 'Send my reminder!':
        $email = (isset($_POST['email'])) ? $_POST['email'] : '';
        if (!empty($email)) {
            $sql = 'SELECT email FROM cms_users WHERE email="' .
                mysql_real_escape_string($email, $db) . '"';
            $result = mysql_query($sql, $db) or die(mysql_error($db));
            if (mysql_num_rows($result) > 0) {
                $password = strtoupper(substr(sha1(time()), rand(0, 32), 8));
                $subject = 'Comic site password reset';
                $body = 'Looks like you forgot your password, eh? No worries. ' . 
                    'We\'ve reset it for you!' . "\n\n";
                $body .= 'Your new password is: ' . $password;
                mail($email, $subject, $body);
            }
            mysql_free_result($result);
        }
        redirect('cms_login.php');
        break;

    case 'Change my info':
        session_start();
        $email = (isset($_POST['email'])) ? $_POST['email'] : '';
        $name = (isset($_POST['name'])) ? $_POST['name'] : '';
        if (!empty($name) && !empty($email) && !empty($_SESSION['user_id']))
        {
            $sql = 'UPDATE cms_users SET
                    email = "' . mysql_real_escape_string($email, $db) . '",
                    name = "' . mysql_real_escape_string($name, $db) . '",
                WHERE
                    user_id = ' . $_SESSION['user_id'];
            mysql_query($sql, $db) or die(mysql_error($db));
        }
        redirect('cms_cpanel.php');
        break;
    default:
        redirect('cms_index.php');
    }
} else {
    redirect('cms_index.php');
}
?>

I can't seem to find any error in the code. Please Help.

4

2 回答 2

1

在“修改帐户”的情况下,您在一行中有一个额外的逗号:

                access_level = "' . mysql_real_escape_string($access_level,
                    $db) . '",
                             ^ here

但我求求你,不要mysql_在新代码中使用这些函数。它们是杂乱无章的,过时的,并且已被正式弃用。学习用于数据库访问的 PHP 的PDO 。一旦你习惯了它,你会发现它更容易、更整洁、更安全。

于 2013-09-23T02:55:29.803 回答
1

片段:

'access_level = "' . mysql_real_escape_string($access_level, $db) . '", WHERE...'

(在一行上更容易看到)where子句前有一个逗号。

摆脱它。当您设置另一列时可以使用逗号,但不只是在where.

请记住,在 90% 的情况下,如果您只是在执行 SQL 字符串之前输出它们(在调试期间,而不是在生产中),这些问题很容易检测到。

此外,您需要学习如何使用参数化查询,以提高可读性和防止潜在的安全漏洞(SQL 注入)。

于 2013-09-23T02:57:44.150 回答