PHP MySQL更新语句无效

时间:2021-03-23 23:11:28

I have a MySQL database with a table (opendpu) that has multiple columns including columns titled "ECRNUM" and "PE_REQUIRED".

我有一个MySQL数据库,其中有一个表(opendpu),它有多个列,包括标题为“ECRNUM”和“PE_REQUIRED”的列。

I'm simply trying to test this update statement by specifying some values. I get this error:

我只是通过指定一些值来测试这个update语句。我得到这个错误:

Array ( [0] => 42000 [1] => 1064 [2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DOE WHERE ECRNUM = 81308' at line 1 )

数组([0]=> 42000 [1]=> 1064 [2]=> SQL语法错误;检查与MySQL服务器版本对应的手册,找到在第1行ECRNUM = 81308附近使用的正确语法)

I cannot, for the life of me, figure out what is wrong here. Can anyone help?

我这辈子都搞不清楚这里出了什么问题。谁能帮忙吗?

<?php
  require ('config.php');
 $ecrno = '81308';
 $pe_required = 'JOHN DOE';

while (true) {
try {
    $db = new PDO($dsn, $uname, $pword);
    $db->exec( "SET CHARACTER SET utf8" );
    $db->setAttribute( PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC ); 
    $db->setAttribute( PDO::ATTR_PERSISTENT, true );
    break;
}
    catch (Exception $e) {
        $db = null;
        $counter++;
        if ($counter == $limit)
            throw $e;
    }
}

$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED = $pe_required WHERE ECRNUM = $ecrno");
$stmt->execute() or die(print_r($stmt->errorInfo(), true));

  ?>

.

3 个解决方案

#1


1  

Change your syntax like this [Enclosed quotes around the variable]

像这样更改语法[变量周围的引号]

$stmt = $db->prepare("UPDATE `opendpu` SET PE_REQUIRED = '$pe_required' WHERE ECRNUM = '$ecrno'");

#2


3  

+1 for using prepared statements... but (and its a big BUT):

+1用于使用准备好的语句……但是(这是一个很大的但是):

You should never use prepared statements without bind_param as this leaves you wide open to SQL injection and negates the benefits of prepared statements.

如果不使用bind_param,就不应该使用准备语句,因为这会让您很容易接受SQL注入,并且会抵消准备语句的好处。

$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED=? WHERE ECRNUM=?");
$stmt->bind_param('si', $pe_required, $ecrno);
$stmt->execute() or die(print_r($stmt->errorInfo(), true));

#3


0  

Please check with below query

请查询以下查询

$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED = '.$pe_required.' WHERE ECRNUM = '.$ecrno.'");

#1


1  

Change your syntax like this [Enclosed quotes around the variable]

像这样更改语法[变量周围的引号]

$stmt = $db->prepare("UPDATE `opendpu` SET PE_REQUIRED = '$pe_required' WHERE ECRNUM = '$ecrno'");

#2


3  

+1 for using prepared statements... but (and its a big BUT):

+1用于使用准备好的语句……但是(这是一个很大的但是):

You should never use prepared statements without bind_param as this leaves you wide open to SQL injection and negates the benefits of prepared statements.

如果不使用bind_param,就不应该使用准备语句,因为这会让您很容易接受SQL注入,并且会抵消准备语句的好处。

$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED=? WHERE ECRNUM=?");
$stmt->bind_param('si', $pe_required, $ecrno);
$stmt->execute() or die(print_r($stmt->errorInfo(), true));

#3


0  

Please check with below query

请查询以下查询

$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED = '.$pe_required.' WHERE ECRNUM = '.$ecrno.'");