php - MySQL 错误 : ' You have an error in your SQL syntax'

Question

下面这段代码给我这个错误:

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' where id = '000'' at line 1"

我不明白这里的问题

<?php
include(".conf.php");
$con = mysql_connect($conf['db_hostname'], $conf['db_username'], $conf['db_password']) or die (mysql_error());
$db = mysql_select_db("aTable", $con);
$pr = $_GET['aThing'];
$pr = addslashes(htmlentities($prof));
$info_array = mysql_query("SELECT * FROM '$db' where id = '$pr'", $con) or die(mysql_error()); 

while($row = mysql_fetch_array( $info_array )) {
    echo $row['aThing'];
    echo "</br>";
    echo $row['aThing'];
    echo "</br>";
    echo $row['aThing'];
    echo "</br>";
    echo $row['aThing'];
};
?>

感谢您的帮助。

Answer 1

您应该将表名放入 FROM 中:SELECT * FROM aTable WHERE ....。此外，您不要转义来自用户的变量。你需要这样的东西:
mysql_query("SELECT * FROM aTable where id = '".mysql_real_escape_string($pr)."'", $con) or die(mysql_error());