网站多年来一直运行良好,突然间我遇到了这个错误。专家的任何帮助将不胜感激。
您的 SQL 语法有错误;请查看与您的 MySQL 服务器版本对应的手册,了解在第 1 行的"ORDER BY category ASC"附近使用的正确语法
这是有问题的代码:
// SQL injection attack prevention function
$unit_Recordset1 = "";
if (isset($_GET['unit'])) {
$unit_Recordset1 = GetSQLValueString($_GET['unit'], "text");
}
$category_Recordset1 = "";
if (isset($_GET['category'])) {
$category_Recordset1 = GetSQLValueString($_GET['category'], "text");
}
else $_GET['category'] = "";
// Query builder that create single or multiple AND query
$sql = "SELECT * FROM documents WHERE ";
if(!empty($unit_Recordset1)) {$sql .= " unit = $unit_Recordset1 AND ";}
if(!empty($category_Recordset1)) {$sql .= " category = $category_Recordset1 AND ";}
// Remove the last AND
$sql = substr($sql, 0, -4);
if(!empty($category_Recordset1)) $sql .= " ORDER BY title ASC";
else $sql .= " ORDER BY category, title ASC";
// Query for left nav DISTINCT category values
$sqlnav = "SELECT DISTINCT category FROM documents WHERE unit = $unit_Recordset1 ORDER BY category ASC";
mysql_select_db($database_local, $local);
$Recordset1 = mysql_query($sql, $local) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);
$Recordset2 = mysql_query($sqlnav, $local) or die(mysql_error());
$row_Recordset2 = mysql_fetch_assoc($Recordset2);
$totalRows_Recordset2 = mysql_num_rows($Recordset2);
有些流$unit_Recordset1
可能为空。在这种情况下,以下语句:
$sqlnav = "SELECT DISTINCT category FROM documents WHERE unit = $unit_Recordset1 ORDER BY category ASC";
将评估为:
SELECT DISTINCT category FROM documents WHERE unit = ORDER BY category ASC
当然,这不是有效的SQL。您还需要针对这种情况添加检查,如下所示:
$unitClause = "";
if(!empty($unit_Recordset1) {
$unitClause = "WHERE unit = $unit_Recordset1 ";
}
$sqlnav = "SELECT DISTINCT category FROM documents $unitClause ORDER BY category ASC";
您的$sqlnav查询应该是这样的
SELECT DISTINCT category FROM documents WHERE unit = '$unit_Recordset1' ORDER BY category ASC
用单引号封装变量 $unit_Recordset1