语法的MySQL/PHP的错误

Question

我真的不明白为什么这种说法是错误

$uname=$_POST['username']; 
$pass=$_POST['pass']; 
$str="select * from account where username='".$uname."' and password='".$pass."'"; 
echo $str; 
echo "\n"; 
$str=mysql_real_escape_string($str); 
$result=mysql_query($str) or die("Error: ". mysql_error(). " with query ". $str); 
$num=mysql_num_rows($result); 

这表明我：

select * from account where username='negin'and password='parsa' Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'negin\'and password=\'parsa\'' at line 1 with query select * from account where username=\'negin\'and password=\'parsa\' 

Answer 1

使用mysql_real_escape_string()的参数，没有对整个查询。您正在转义单引号，因此查询出错。

Answer 2

使用这种方式

$uname=mysql_real_escape_string($_POST['username']); 
$pass=mysql_real_escape_string($_POST['pass']); 
$str="select * from account where username='".$uname."' and password='".$pass."'"; 

$result=mysql_query($str) or die("Error: ". mysql_error(). " with query ". $str); 
$num=mysql_num_rows($result); 

Answer 3

我已经运行它这样的问题，以及，这个问题是在mysql_real_escape_string()部分

//Change 
$str="select * from account where username='".$uname."' and password='".$pass."'"; 

//To 
$str="select * from account where username='".mysql_real_escape_string($uname)."' and password='".mysql_real_escape_string($pass)."'"; 

Answer 4

因为你是在整体上使用mysql_real_escape_string() $海峡。它也会转义您为了插入变量而手动添加的单引号。从而导致错误。

试试这个方法。

$uname=$_POST['username']; 
$pass=$_POST['pass']; 

$uname = mysql_real_escape_string($uname); 
$pass = mysql_real_escape_string($pass); 

$str="select * from account where username='".$uname."' and password='".$pass."'"; 
echo $str; 
echo "\n"; 
//$str=mysql_real_escape_string($str); 
$result=mysql_query($str) or die("Error: ". mysql_error(). " with query ". $str); 
$num=mysql_num_rows($result);