无法运行查询：SQLSTATE [42000]：语法错误或访问冲突：1064 您的 SQL 语法有错误

Question

无法运行查询：SQLSTATE[42000]：语法错误或访问 违规：1064 您的 SQL 语法有错误；检查手册 对应于您的 MySQL 服务器版本以获得正确的语法 在'电话='952 123 123'手机='655 000 000''附近使用 在第 4 行

谁能帮忙？

 <?php 

// First we execute our common code to connection to the database and start the session 
require("common.php"); 

// At the top of the page we check to see whether the user is logged in or not 
if(empty($_SESSION['user'])) 
{ 
    // If they are not, we redirect them to the login page. 
    header("Location: login.php"); 

    // Remember that this die statement is absolutely critical.  Without it, 
    // people can view your members-only content without logging in. 
    die("Redirecting to login.php"); 
} 

// This if statement checks to determine whether the edit form has been submitted 
// If it has, then the account updating code is run, otherwise the form is displayed 
if(!empty($_POST)) 
{ 
    // Make sure the user entered a valid E-Mail address 
    if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) 
    { 
        die("Invalid E-Mail Address"); 
    } 

    // If the user is changing their E-Mail address, we need to make sure that 
    // the new value does not conflict with a value that is already in the system. 
    // If the user is not changing their E-Mail address this check is not needed. 
    if($_POST['email'] != $_SESSION['user']['email']) 
    { 
        // Define our SQL query 
        $query = " 
            SELECT 
                1 
            FROM users 
            WHERE 
                email = :email AND
                telephone = :telephone AND
                mobiletelephone = :mobiletelephone
        "; 

        // Define our query parameter values 
        $query_params = array( 
            ':email' => $_POST['email'] 
        ); 

        try 
        { 
            // Execute the query 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex) 
        { 
            // Note: On a production website, you should not output $ex->getMessage(). 
            // It may provide an attacker with helpful information about your code.  
            die("Failed to run query: " . $ex->getMessage()); 
        } 

        // Retrieve results (if any) 
        $row = $stmt->fetch(); 
        if($row) 
        { 
            die("This E-Mail address is already in use"); 
        } 
    } 

    // If the user entered a new password, we need to hash it and generate a fresh salt 
    // for good measure. 
    if(!empty($_POST['password'])) 
    { 
        $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 
        $password = hash('sha256', $_POST['password'] . $salt); 
        for($round = 0; $round < 65536; $round++) 
        { 
            $password = hash('sha256', $password . $salt); 
        } 
    } 
    else 
    { 
        // If the user did not enter a new password we will not update their old one. 
        $password = null; 
        $salt = null; 
    } 

    // Initial query parameter values 
    $query_params = array( 
        ':email' => $_POST['email'], 
        ':telephone' => $_POST['telephone'],
        ':mobiletelephone' => $_POST['mobiletelephone'],
        ':user_id' => $_SESSION['user']['id'], 
    ); 

    // If the user is changing their password, then we need parameter values 
    // for the new password hash and salt too. 
    if($password !== null) 
    { 
        $query_params[':password'] = $password; 
        $query_params[':salt'] = $salt; 
    } 

    // Note how this is only first half of the necessary update query.  We will dynamically 
    // construct the rest of it depending on whether or not the user is changing 
    // their password. 
    $query = " 
        UPDATE users 
        SET 
            email = :email,
            telephone = :telephone,
            mobiletelephone = :mobiletelephone


    "; 

    // If the user is changing their password, then we extend the SQL query 
    // to include the password and salt columns and parameter tokens too. 
    if($password !== null) 
    { 
        $query .= " 
            , password = :password 
            , salt = :salt 
        "; 
    } 

    // Finally we finish the update query by specifying that we only wish 
    // to update the one record with for the current user. 
    $query .= " 
        WHERE 
            id = :user_id 
    "; 

    try 
    { 
        // Execute the query 
        $stmt = $db->prepare($query); 
        $result = $stmt->execute($query_params); 
    } 
    catch(PDOException $ex) 
    { 
        // Note: On a production website, you should not output $ex->getMessage(). 
        // It may provide an attacker with helpful information about your code.  
        die("Failed to run query: " . $ex->getMessage()); 
    } 

    // Now that the user's E-Mail address has changed, the data stored in the $_SESSION 
    // array is stale; we need to update it so that it is accurate. 
    $_SESSION['user']['email'] = $_POST['email']; 
    $_SESSION['user']['telephone'] = $_POST['telephone'];
    $_SESSION['user']['mobiletelephone'] = $_POST['mobiletelephone'];

    // This redirects the user back to the members-only page after they register 
    header("Location: members.php"); 

    // Calling die or exit after performing a redirect using the header function 
    // is critical.  The rest of your PHP script will continue to execute and 
    // will be sent to the user if you do not die or exit. 
    die("Redirecting to members.php"); 
} 

?>

Answer 1

如错误消息所述，您的 SQL 查询中有语法错误：

SELECT 
    1 
FROM users 
 WHERE 
    email = :email 
    telephone = :telephone
    mobiletelephone = :mobiletelephone

您需要将WHERE 子句与一些逻辑运算符结合起来。例如，如果查询中所有这三个子句都必须为真，那么您将使用AND 运算符：

SELECT 
    1 
FROM users 
 WHERE 
    email = :email AND
    telephone = :telephone AND
    mobiletelephone = :mobiletelephone

同样，您的UPDATE 查询需要用逗号分隔正在更新的字段：

UPDATE users 
SET 
    email = :email,
    telephone = :telephone,
    mobiletelephone = :mobiletelephone

（注意：在该查询之后，您似乎将更多字段附加到 SET 子句。您需要确保在构造整个查询时每个字段都用逗号分隔。）