1. 首頁
  2. 問答
  3. PHP PDO語句引發致命錯誤

PHP PDO語句引發致命錯誤

2011-06-22 81 views
1

我有一個函數,它在語法問題上拋出了一個不尋常的錯誤。看一看。PHP PDO語句引發致命錯誤

public static function authenticate($_user, $_pass) 
    { 
     $sql = 'SELECT password, key 
       FROM users 
       WHERE username = ' . $_user; 

     $stm = Db::init()->prepare($sql); 
     if ($stm->execute()) 
      return $stm->fetch(PDO::FETCH_ASSOC);  
    }

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key FROM users WHERE username = testuser1' at line 1' in /class.php:111

Stack trace:
#0 /class.php(111): PDOStatement->execute()
#1 /class.php(118): Password::authenticate('testuser1', 'test')
#2 {main} thrown in /class.php on line 111

任何想法,這是什麼意思?

來源

2011-06-22 grep

回答

3

key是sql中的保留字。在查詢中用反引號括起來。像這樣:

public static function authenticate($_user, $_pass) 
    { 
     $sql = 'SELECT password, `key` 
       FROM users 
       WHERE username = ' . $_user; 

     $stm = Db::init()->prepare($sql); 
     if ($stm->execute()) 
      return $stm->fetch(PDO::FETCH_ASSOC);  
    }

BTW:您的代碼中存在SQL注入漏洞。使用參數化查詢來綁定$_user的值。

來源

2011-06-22 02:27:51 Asaph

+0

啊,還有。我顯然太新學校了。我遇到以下情況:'致命錯誤:帶有消息'SQLSTATE [42S22]的未捕獲異常'PDOException':未找到列:1054 /class.php:111中'where子句'中未知列'testuser1'堆棧跟蹤:#0 /class.php(111):PDOStatement-> execute()#1 /class.php(118):Password :: authenticate('testuser1','test')#class {2} 111' – grep

+0

這是因爲'$ _user'周圍沒有引號。 – Asaph

+0

@Asaph:我不明白爲什麼這很重要? – grep

相關問題

 相關問題