查询失败您的SQL语法中有错误

时间:2022-01-03 15:48:54

[ASK] my php error "Failed query You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'order (iduser, idfood, jumlah, total) VALUES (9, 1, 2, 20000)' at line 1" what's wrong ....?

[问]我的php错误“查询失败你的SQL语法有错误;请查看与你的MariaDB服务器版本对应的手册,以便在'order(iduser,idfood,jumlah,total)附近使用正确的语法VALUES(9, 1,2,20000)'在1号线'出了什么问题......?

myphp

<?php  
$data= file_get_contents('php://input');
    $array = json_decode($data, true);

    require_once ('..../db_connectfood.php');

    $db = new DB_CONNECT();

    foreach($array as $row)  
    {  
      $idusr = $row["iduser"];
       $idfd = $row["idfood"];
       $jml = $row["jumlah"];
       $total = $row["total"];
       $result = mysql_query("INSERT INTO order (iduser, idfood, jumlah, total) VALUES ($idusr, $idfd, $jml, $total)") or die ("Failed query ".mysql_error());        

    }  
    if ($result) {
        // successfully inserted into database
        $response["success"] = 1;
        $response["message"] = "successfully created.";

        // echoing JSON response
        echo json_encode($response);
    } else {
        // failed to insert row
        $response["success"] = 0;
        $response["message"] = "Oops! An error occurred.";

        // echoing JSON response
        echo json_encode($response);
    }

?>

how to get value success and message from this php ?

如何从这个PHP获得价值成功和消息?

查询失败您的SQL语法中有错误

iduser and idfood is foreign key

iduser和idfood是外键

3 个解决方案

#1

1  

order is a reserved word in SQL. The best approach would be to change your table's name (e.g., to orders, in plural). if this is not possible, you can use backticks to escape the name:

order是SQL中的保留字。最好的方法是更改​​表格的名称(例如,更改为多个订单)。如果这不可能,您可以使用反引号来转义名称:

INSERT INTO `order` (iduser, idfood, jumlah, total)
VALUES ($idusr, $idfd, $jml, $total)

Mandatory comment:
Using string manipulation in SQL statements leaves your code vulnerable to SQL injection attacks. You should consider using a prepared statement instead.

强制性注释:在SQL语句中使用字符串操作会使代码容易受到SQL注入攻击。您应该考虑使用预先准备好的声明。

#2

0  

Hi please try with this:

嗨,请尝试这个:

$result = mysql_query("INSERT INTO databasename.order (iduser, idfood, jumlah, total) VALUES ($idusr, $idfd, $jml, $total)") or die ("Failed query ".mysql_error());

$ result = mysql_query(“INSERT INTO databasename.order(iduser,idfood,jumlah,total)VALUES($ idusr,$ idfd,$ jml,$ total)”)或die(“Failed query”.mysql_error());

order is a nomenclature word from mysql.

order是来自mysql的命名词。

best regards.

#3

0  

order is a reserved word.

订单是一个保留字。

To be able to use a reserved word in a query, you must escape it by surrounding it with backticks as in `reserved word` (careful the backtick may look like a single quote, but it's not).

为了能够在查询中使用保留字,你必须使用反引号将其包围,如“保留字”一样(小心反引号可能看起来像单引号,但事实并非如此)。

So, in your case change

所以,在你的情况下改变

$result = mysql_query("INSERT INTO order (iduser, idfood, jumlah, total) VALUES ($idusr, $idfd, $jml, $total)") or die ("Failed query ".mysql_error());

to

$result = mysql_query("INSERT INTO `order` (iduser, idfood, jumlah, total) VALUES ($idusr, $idfd, $jml, $total)") or die ("Failed query ".mysql_error());

... and check for the rest of the table or column names if they are reserved words.

...如果它们是保留字,则检查其余的表名或列名。

As a best & secure practice, parameterized queries/prepared statements are recommended.

作为最佳和安全的做法,建议使用参数化查询/预准备语句。

#1

1  

order is a reserved word in SQL. The best approach would be to change your table's name (e.g., to orders, in plural). if this is not possible, you can use backticks to escape the name:

order是SQL中的保留字。最好的方法是更改​​表格的名称(例如,更改为多个订单)。如果这不可能,您可以使用反引号来转义名称:

INSERT INTO `order` (iduser, idfood, jumlah, total)
VALUES ($idusr, $idfd, $jml, $total)

Mandatory comment:
Using string manipulation in SQL statements leaves your code vulnerable to SQL injection attacks. You should consider using a prepared statement instead.

强制性注释:在SQL语句中使用字符串操作会使代码容易受到SQL注入攻击。您应该考虑使用预先准备好的声明。

#2

0  

Hi please try with this:

嗨,请尝试这个:

$result = mysql_query("INSERT INTO databasename.order (iduser, idfood, jumlah, total) VALUES ($idusr, $idfd, $jml, $total)") or die ("Failed query ".mysql_error());

$ result = mysql_query(“INSERT INTO databasename.order(iduser,idfood,jumlah,total)VALUES($ idusr,$ idfd,$ jml,$ total)”)或die(“Failed query”.mysql_error());

order is a nomenclature word from mysql.

order是来自mysql的命名词。

best regards.

#3

0  

order is a reserved word.

订单是一个保留字。

To be able to use a reserved word in a query, you must escape it by surrounding it with backticks as in `reserved word` (careful the backtick may look like a single quote, but it's not).

为了能够在查询中使用保留字,你必须使用反引号将其包围,如“保留字”一样(小心反引号可能看起来像单引号,但事实并非如此)。

So, in your case change

所以,在你的情况下改变

$result = mysql_query("INSERT INTO order (iduser, idfood, jumlah, total) VALUES ($idusr, $idfd, $jml, $total)") or die ("Failed query ".mysql_error());

to

$result = mysql_query("INSERT INTO `order` (iduser, idfood, jumlah, total) VALUES ($idusr, $idfd, $jml, $total)") or die ("Failed query ".mysql_error());

... and check for the rest of the table or column names if they are reserved words.

...如果它们是保留字,则检查其余的表名或列名。

As a best & secure practice, parameterized queries/prepared statements are recommended.

作为最佳和安全的做法,建议使用参数化查询/预准备语句。

标签:

相关文章