从数据库中选择数据后出现错误[duplicate]

时间:2022-12-26 15:42:31

This question already has an answer here:

这个问题已经有了答案:

I am currently working on a forum website with an upvote-system. However, there are some annoying, probably syntactic errors that are bugging me. I am talking about this piece of code.

我目前正在一个论坛网站上工作。然而,有一些恼人的语法错误困扰着我。我说的是这段代码。

<?php
session_start();

include_once 'dbh_discussion.inc.php';
$conn = db_discussion_connect();

$thread_id = $_POST['upvote'];

$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id = '$_SESSION['u_id']' AND thread_id = '$thread_id'");

The things that aren't clear in this piece of code are as follows:

这段代码中不清楚的地方如下:

  • db_discussion_connect() A function declared in dbh_discussion_connect.inc.php. This funtion returns a new PDO that connects to my database.
  • db_discussion_connect()是在dbh_discussion_connector .php中声明的函数。这个函数返回一个连接到我的数据库的新PDO。
  • the index 'upvote' is the name of a button in another php file that will call the code above.
  • 索引“upvote”是另一个php文件中的一个按钮的名称,该文件将调用上面的代码。
  • $_SESSION['u_id'] is a session variable that will be assigned when the user logs onto the website.
  • $_SESSION['u_id']是一个会话变量,当用户登录到网站时将分配它。

The error that I'm getting when debugging on the server:

我在服务器上调试时得到的错误:

Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in /var/www/html/includes/thread_upvotes.inc.php on line 9

解析错误:语法错误,意外的“(T_ENCAPSED_AND_WHITESPACE),期望'-'或标识符(T_STRING)或变量(T_VARIABLE)或number (T_NUM_STRING) in /var/www/html/includes/thread_upvotes.inc。php在第9行

I feel like I'm missing out on something syntactical. Anyhow, I'd really appreciate someone telling me whats going wrong here.

我觉得我错过了一些语法上的东西。无论如何,我很感激有人告诉我这里出了什么问题。

Thanks

谢谢

4 个解决方案

#1


3  

I get triggered so hard by this people who provide answers that are still wide open to Injections. Is it that difficult to change his prepared statement to something safe?!!!

我被这些提供答案的人深深地触动了,他们仍然对注射敞开大门。难道把他准备好的陈述变成安全的东西就那么难吗?

Here a solution with a correct prepared statement. As if it takes that long to rewrite it. That should be against the rules here.

这里有一个正确的准备好的解决方案。就好像重写要花那么长时间一样。这应该是违反规则的。

<?php
session_start();

include_once 'dbh_discussion.inc.php';
$conn = db_discussion_connect();

$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id = :uid AND thread_id = :tid");
$sql1->bindParam(':uid', $_SESSION["u_id"]);
$sql1->bindParam(':tid', $_POST['upvote']);
$sql1->execute();

#2


1  

Your code has an error, specifically the code user_id = '$_SESSION['u_id']', try this:

您的代码有一个错误,特别是代码user_id = '$_SESSION['u_id'],请尝试以下方法:

 $sql1 = $conn->prepare("SELECT * FROM users 
 WHERE user_id = '{$_SESSION['u_id']}' AND thread_id = '$thread_id'");

To insert array keys inside a string, you must enclose it in { } if you specify the key inside ' '

若要在字符串中插入数组键,则必须将其封装在{}中,如果您指定了内部的键。

WARNING inserting directly $_SESSION contenst in the query you'll be eligible for SQL Injection!!!

警告在查询中直接插入$_SESSION contenst,您将符合SQL注入的条件!!!

The correct and better way to insert them is by binding each one like this:

插入它们的正确和更好的方法是将每一个像这样绑定:

$sql1 = $conn->prepare("SELECT * FROM tableName WHERE fieldID = :id");
$sql1->bindParam(':id', $_SESSION["id"]);

#3


0  

seems like quotes making problem, try like below,

好像是报价问题,试试下面,

$uid = $_SESSION['u_id'];
$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id = '$uid' AND thread_id = '$thread_id'");

#4


-2  

Did you try like below?

你试过下面的方法吗?

$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id =".$_SESSION['u_id']." AND thread_id ="$thread_id);

#1


3  

I get triggered so hard by this people who provide answers that are still wide open to Injections. Is it that difficult to change his prepared statement to something safe?!!!

我被这些提供答案的人深深地触动了,他们仍然对注射敞开大门。难道把他准备好的陈述变成安全的东西就那么难吗?

Here a solution with a correct prepared statement. As if it takes that long to rewrite it. That should be against the rules here.

这里有一个正确的准备好的解决方案。就好像重写要花那么长时间一样。这应该是违反规则的。

<?php
session_start();

include_once 'dbh_discussion.inc.php';
$conn = db_discussion_connect();

$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id = :uid AND thread_id = :tid");
$sql1->bindParam(':uid', $_SESSION["u_id"]);
$sql1->bindParam(':tid', $_POST['upvote']);
$sql1->execute();

#2


1  

Your code has an error, specifically the code user_id = '$_SESSION['u_id']', try this:

您的代码有一个错误,特别是代码user_id = '$_SESSION['u_id'],请尝试以下方法:

 $sql1 = $conn->prepare("SELECT * FROM users 
 WHERE user_id = '{$_SESSION['u_id']}' AND thread_id = '$thread_id'");

To insert array keys inside a string, you must enclose it in { } if you specify the key inside ' '

若要在字符串中插入数组键,则必须将其封装在{}中,如果您指定了内部的键。

WARNING inserting directly $_SESSION contenst in the query you'll be eligible for SQL Injection!!!

警告在查询中直接插入$_SESSION contenst,您将符合SQL注入的条件!!!

The correct and better way to insert them is by binding each one like this:

插入它们的正确和更好的方法是将每一个像这样绑定:

$sql1 = $conn->prepare("SELECT * FROM tableName WHERE fieldID = :id");
$sql1->bindParam(':id', $_SESSION["id"]);

#3


0  

seems like quotes making problem, try like below,

好像是报价问题,试试下面,

$uid = $_SESSION['u_id'];
$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id = '$uid' AND thread_id = '$thread_id'");

#4


-2  

Did you try like below?

你试过下面的方法吗?

$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id =".$_SESSION['u_id']." AND thread_id ="$thread_id);