This question already has an answer here:
这个问题已经有了答案:
- PHP parse/syntax errors; and how to solve them? 13 answers
- PHP解析/语法错误;如何解决它们呢?13个答案
I am currently working on a forum website with an upvote-system. However, there are some annoying, probably syntactic errors that are bugging me. I am talking about this piece of code.
我目前正在一个论坛网站上工作。然而,有一些恼人的语法错误困扰着我。我说的是这段代码。
<?php
session_start();
include_once 'dbh_discussion.inc.php';
$conn = db_discussion_connect();
$thread_id = $_POST['upvote'];
$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id = '$_SESSION['u_id']' AND thread_id = '$thread_id'");
The things that aren't clear in this piece of code are as follows:
这段代码中不清楚的地方如下:
- db_discussion_connect() A function declared in dbh_discussion_connect.inc.php. This funtion returns a new PDO that connects to my database.
- db_discussion_connect()是在dbh_discussion_connector .php中声明的函数。这个函数返回一个连接到我的数据库的新PDO。
- the index 'upvote' is the name of a button in another php file that will call the code above.
- 索引“upvote”是另一个php文件中的一个按钮的名称,该文件将调用上面的代码。
- $_SESSION['u_id'] is a session variable that will be assigned when the user logs onto the website.
- $_SESSION['u_id']是一个会话变量,当用户登录到网站时将分配它。
The error that I'm getting when debugging on the server:
我在服务器上调试时得到的错误:
Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in /var/www/html/includes/thread_upvotes.inc.php on line 9
解析错误:语法错误,意外的“(T_ENCAPSED_AND_WHITESPACE),期望'-'或标识符(T_STRING)或变量(T_VARIABLE)或number (T_NUM_STRING) in /var/www/html/includes/thread_upvotes.inc。php在第9行
I feel like I'm missing out on something syntactical. Anyhow, I'd really appreciate someone telling me whats going wrong here.
我觉得我错过了一些语法上的东西。无论如何,我很感激有人告诉我这里出了什么问题。
Thanks
谢谢
4 个解决方案
#1
3
I get triggered so hard by this people who provide answers that are still wide open to Injections. Is it that difficult to change his prepared statement to something safe?!!!
我被这些提供答案的人深深地触动了,他们仍然对注射敞开大门。难道把他准备好的陈述变成安全的东西就那么难吗?
Here a solution with a correct prepared statement. As if it takes that long to rewrite it. That should be against the rules here.
这里有一个正确的准备好的解决方案。就好像重写要花那么长时间一样。这应该是违反规则的。
<?php
session_start();
include_once 'dbh_discussion.inc.php';
$conn = db_discussion_connect();
$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id = :uid AND thread_id = :tid");
$sql1->bindParam(':uid', $_SESSION["u_id"]);
$sql1->bindParam(':tid', $_POST['upvote']);
$sql1->execute();
#2
1
Your code has an error, specifically the code user_id = '$_SESSION['u_id']'
, try this:
您的代码有一个错误,特别是代码user_id = '$_SESSION['u_id'],请尝试以下方法:
$sql1 = $conn->prepare("SELECT * FROM users
WHERE user_id = '{$_SESSION['u_id']}' AND thread_id = '$thread_id'");
To insert array keys inside a string, you must enclose it in { }
if you specify the key inside ' '
若要在字符串中插入数组键,则必须将其封装在{}中,如果您指定了内部的键。
WARNING inserting directly $_SESSION
contenst in the query you'll be eligible for SQL Injection!!!
警告在查询中直接插入$_SESSION contenst,您将符合SQL注入的条件!!!
The correct and better way to insert them is by binding each one like this:
插入它们的正确和更好的方法是将每一个像这样绑定:
$sql1 = $conn->prepare("SELECT * FROM tableName WHERE fieldID = :id");
$sql1->bindParam(':id', $_SESSION["id"]);
#3
0
seems like quotes making problem, try like below,
好像是报价问题,试试下面,
$uid = $_SESSION['u_id'];
$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id = '$uid' AND thread_id = '$thread_id'");
#4
-2
Did you try like below?
你试过下面的方法吗?
$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id =".$_SESSION['u_id']." AND thread_id ="$thread_id);
#1
3
I get triggered so hard by this people who provide answers that are still wide open to Injections. Is it that difficult to change his prepared statement to something safe?!!!
我被这些提供答案的人深深地触动了,他们仍然对注射敞开大门。难道把他准备好的陈述变成安全的东西就那么难吗?
Here a solution with a correct prepared statement. As if it takes that long to rewrite it. That should be against the rules here.
这里有一个正确的准备好的解决方案。就好像重写要花那么长时间一样。这应该是违反规则的。
<?php
session_start();
include_once 'dbh_discussion.inc.php';
$conn = db_discussion_connect();
$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id = :uid AND thread_id = :tid");
$sql1->bindParam(':uid', $_SESSION["u_id"]);
$sql1->bindParam(':tid', $_POST['upvote']);
$sql1->execute();
#2
1
Your code has an error, specifically the code user_id = '$_SESSION['u_id']'
, try this:
您的代码有一个错误,特别是代码user_id = '$_SESSION['u_id'],请尝试以下方法:
$sql1 = $conn->prepare("SELECT * FROM users
WHERE user_id = '{$_SESSION['u_id']}' AND thread_id = '$thread_id'");
To insert array keys inside a string, you must enclose it in { }
if you specify the key inside ' '
若要在字符串中插入数组键,则必须将其封装在{}中,如果您指定了内部的键。
WARNING inserting directly $_SESSION
contenst in the query you'll be eligible for SQL Injection!!!
警告在查询中直接插入$_SESSION contenst,您将符合SQL注入的条件!!!
The correct and better way to insert them is by binding each one like this:
插入它们的正确和更好的方法是将每一个像这样绑定:
$sql1 = $conn->prepare("SELECT * FROM tableName WHERE fieldID = :id");
$sql1->bindParam(':id', $_SESSION["id"]);
#3
0
seems like quotes making problem, try like below,
好像是报价问题,试试下面,
$uid = $_SESSION['u_id'];
$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id = '$uid' AND thread_id = '$thread_id'");
#4
-2
Did you try like below?
你试过下面的方法吗?
$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id =".$_SESSION['u_id']." AND thread_id ="$thread_id);