SQL打破了我没有放入代码的角色

Joh*_*ohn 0 php sql syntax

我在这个PHP代码上遇到语法错误:

<snip>
$last = (isset($_GET['last']) && $_GET['last'] != '') ? $_GET['last'] : 0;

$query = "SELECT message_id, user_name, message, date_format(post_time, '%h:%i') AS post_time" . 
    " FROM message WHERE chat_id = " . db_input($_GET['chat']) . " AND message_id > " . $last . ";";

$message_query = db_query($query);
</snip>
Run Code Online (Sandbox Code Playgroud)

而且db_query:

function db_query($query, $link = 'db_link') {
    global $$link;

    $result = mysql_query(mysql_real_escape_string($query), $$link) or db_error($query, mysql_errno(), mysql_error());

    return result;
}
Run Code Online (Sandbox Code Playgroud)

确切的错误是这样的:

You have an error in your SQL syntax; check the manual that corresponds 
to your MySQL server version for the right syntax to use near '\' %h:%i\') 
AS post_time FROM message WHERE chat_id = 1 AND message_id > 0' at line 1<br><br>
SELECT message_id, user_name, message, date_format(post_time, '%h:%i') AS 
post_time FROM message WHERE chat_id = 1 AND message_id > 0;
Run Code Online (Sandbox Code Playgroud)

正如您所看到的,它在我的代码中没有/看到的字符上抛出错误.这里发生了什么?

jer*_*oen 5

mysql_real_escape_string只需要使用变量,而不是整个sql查询.

现在它正在翻译:

date_format(post_time, '%h:%i')
Run Code Online (Sandbox Code Playgroud)

至:

date_format(post_time, \'%h:%i\')
Run Code Online (Sandbox Code Playgroud)

顺便说一句,我假设你的db_input函数准备你的变量用于数据库,所以你肯定也需要将它用于你的$last变量.