[SQL Server]'neal'附近的语法不正确[复制]

时间:2021-12-21 22:48:40

This question already has an answer here:

这个问题在这里已有答案:

I'm trying to update my a row. But it automatically creates an error because the data in a column contains this Shaquille O'neal Or are there any problems ? Here's my code

我正在尝试更新我的排。但它会自动创建一个错误,因为列中的数据包含此Shaquille O'neal或者有任何问题吗?这是我的代码

  <?php
if(isset($_POST['editSubmit'])){
    $buildingID       = $_POST['editBuilding'];
    $buildingName     = $_POST['editBuildingName'];   
    $buildingProject  = $_POST['editBuildingProject'];
    $buildingFloors   = $_POST['editBuildingFloors'];
    $q = "update tblBuilding SET buildingName= '$buildingName' building_projectID='$buildingProject'
          floorNumber = '$buildingFloors'         
          where buildingID = '$buildingID'"; 
    $query = $db-> prepare($q);
    $results = $query->execute();
    echo" <meta http-equiv='refresh' content='0;url=project.php'>"; 
}
?>

EDITED: Prepared:

编辑:准备:

<?php
if(isset($_POST['editSubmit'])){
    $buildingID       = $_POST['editBuilding'];
    $buildingName     = $_POST['editBuildingName'];   
    $buildingProject  = $_POST['editBuildingProject'];
    $buildingFloors   = $_POST['editBuildingFloors'];

$stmt = $db->prepare("update tblBuilding set buildingName=?, building_projectID=?,floorNumber=?  where buildingID = $buildingID");

$stmt->bindParam(1, $buildingName );
$stmt->bindParam(2, $buildingProject);
$stmt->bindParam(3, $buildingFloors );
$stmt->execute();



    echo" <meta http-equiv='refresh' content='0;url=project.php'>"; 
}
?>

3 个解决方案

#1


1  

The real problem is that you're concatenating input data into SQL. This is a no-go: it opens the door wide for SQL injection problems.

真正的问题是您将输入数据连接到SQL。这是一个禁忌:它为SQL注入问题打开了大门。

Use parametrized queries and your problems should vanish.

使用参数化查询,您的问题应该消失。

#2


0  

I suggest you could print out the query. Most likely it's because you wrap the value $buildingName using single quote which paired with the one in Shaquille O'neal then causes the rest of the query syntax error.

我建议你打印出来的查询。最有可能的原因是你使用单引号包装值$ buildingName,它与Shaquille O'neal中的那个匹配,然后导致其余的查询语法错误。

#3


-1  

the issue is the apostrophe you have in your data. If you have such a data you need to replace all apostrophe to double apostrophe. some thine like below

问题是你的数据中有撇号。如果您有这样的数据,则需要将所有撇号替换为双撇号。有些你喜欢以下

value = replace(value, "'", "''")

then pass that data a your field value

然后将该数据传递给您的字段值

#1


1  

The real problem is that you're concatenating input data into SQL. This is a no-go: it opens the door wide for SQL injection problems.

真正的问题是您将输入数据连接到SQL。这是一个禁忌:它为SQL注入问题打开了大门。

Use parametrized queries and your problems should vanish.

使用参数化查询,您的问题应该消失。

#2


0  

I suggest you could print out the query. Most likely it's because you wrap the value $buildingName using single quote which paired with the one in Shaquille O'neal then causes the rest of the query syntax error.

我建议你打印出来的查询。最有可能的原因是你使用单引号包装值$ buildingName,它与Shaquille O'neal中的那个匹配,然后导致其余的查询语法错误。

#3


-1  

the issue is the apostrophe you have in your data. If you have such a data you need to replace all apostrophe to double apostrophe. some thine like below

问题是你的数据中有撇号。如果您有这样的数据,则需要将所有撇号替换为双撇号。有些你喜欢以下

value = replace(value, "'", "''")

then pass that data a your field value

然后将该数据传递给您的字段值