从PHP运行时,MySQL显示SQL语法错误
[英]MySQL Showing SQL Syntax Error when run from PHP
问题描述
I am trying to create a dynamic page and store it in a MySQL database. 
我正在尝试创建一个动态页面并将其存储在MySQL数据库中。 It connects to the database fine, but there seems to be an error in the SQL Syntax that I can't find. 它可以很好地连接到数据库,但是SQL语法中似乎有一个我找不到的错误。 I've tried reformatting the code and cannot pin point it. 我尝试重新格式化代码,但无法查明。 Here's the PHP: 这是PHP:
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8">
<title></title>
</head>
<body>
<?php
$dbc = mysqli_connect('localhost', 'username', 'password', 'test_db')
or die("There was an error connecting to the database. Please try again later.");
$fullname = (string)$_POST['name'];
$guest_email = $_POST['email'];
$password = $_POST['password'];
echo "<h1>Thanks for your submission!</h1>";
echo "Your Name on File is: ". $fullname . '<br>';
echo "Your Email on File is: ". $guest_email . '<br>';
echo "Your Password on File is: ". $password . '<br>';
$add_query = "INSERT INTO test_form (full_name, email, user_pass) VALUES( $fullname, $guest_email, $password)";
$result = mysqli_query($dbc, $add_query)
or die("<strong>There was an error processing the form. Please call your IT support!</strong>". mysqli_error($dbc));
mysqli_close($dbc);
?>
</body>
</html>
And here's the HTML: 这是HTML:
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8">
<title>Test Form</title>
</head>
<body>
<h1>Test Form</h1>
<form action="index.php" method="post">
<input type="text" placeholder="Name" name="name"/>
<input type="email" name="email" id="email" placeholder="Email"/>
<input type="password" name="password" id="password" placeholder="Enter a password"/>
<input type="submit" value="Submit"/>
</form>
</body>
</html>
3 个解决方案
解决方案1
1 已采纳 2015-01-21 23:53:15
You need to quote your values when it comes to strings 当涉及字符串时,您需要引用您的值
('$fullname', '$guest_email', '$password')
Important note about password storage: 有关密码存储的重要说明:
I noticed you may be storing passwords in plain text. 我注意到您可能以纯文本形式存储密码。 If this is the case, it is highly discouraged and if used on a live site, you will get hacked. 如果是这种情况,我们强烈建议您不要使用它,如果在实时站点上使用它,您将被黑客入侵。
I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. 我建议您使用CRYPT_BLOWFISH或PHP 5.5的password_hash()函数。 For PHP < 5.5 use the password_hash() compatibility pack . 对于PHP <5.5,使用password_hash() compatibility pack 。
If and when you do use one of those, make sure the column is long enough to accomodate the hash. 如果确实要使用其中之一,请确保该列足够长以容纳散列。
Plus, in regards to SQL injection which you are presently open to, use mysqli with prepared statements , or PDO with prepared statements , they're much safer . 另外,关于您目前可以使用的 SQL注入, 将mysqli与预备语句一起使用 ,或将PDO与预备语句一起使用 , 它们要安全得多 。
解决方案2
0 2015-01-21 23:30:07
In $add_query , you're not concatenating the other variables correctly, like you did before. 在$add_query ,您没有像以前那样正确地串联其他变量。 This should work : 这应该工作:
$add_query = "INSERT INTO test_form (full_name, email, user_pass) VALUES ( '" . $fullname . "' , '" . $guest_email . "' , '" . $password . "')";
解决方案3
0 2015-01-22 00:42:45
You should be aware of the fact that your code is vulnerable to SQL Injection, so it must not be used in 'real world' environments but for testing only! 您应该意识到以下事实:您的代码容易受到SQL注入的攻击,因此不得在“现实世界”环境中使用它,而只能用于测试!
To prevent SQL Injections from the beginning you can use Prepared Statements as described in the docs: 为了防止从一开始就进行SQL注入,您可以按照文档中的描述使用Prepared Statements:
- http://php.net/manual/en/mysqli.quickstart.prepared-statements.php http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
- http://php.net/manual/en/mysqli-stmt.bind-param.php http://php.net/manual/en/mysqli-stmt.bind-param.php
I am not familar with the mysqli driver and would recommend to use PDO, which is a more generic approach for database connection. 我不熟悉mysqli驱动程序,因此建议使用PDO,这是用于数据库连接的更通用的方法。
However, your code with mysqli prepared statements should look like this: 但是,带有mysqli准备语句的代码应如下所示:
<?php
$dbc = mysqli_connect('localhost', 'username', 'password', 'test_db')
or die("There was an error connecting to the database. Please try again later.");
$fullname = (string)$_POST['name'];
$guest_email = $_POST['email'];
$password = $_POST['password'];
echo "<h1>Thanks for your submission!</h1>";
echo "Your Name on File is: ". $fullname . '<br>';
echo "Your Email on File is: ". $guest_email . '<br>';
//echo "Your Password on File is: ". $password . '<br>'; // never ever print any password!
/* create prepared statement */
$stmt = mysqli_prepare($dbc, "INSERT INTO test_form (full_name, email, user_pass) VALUES(?, ?, ?)");
/* bind params to prepared statement */
mysqli_stmt_bind_param($stmt, 'sss', $fullname, $guest_email, $password);
/* execute prepared statement */
mysqli_stmt_execute($stmt);
/* close statement and connection */
mysqli_stmt_close($stmt);
/* close connection */
mysqli_close($dbc);
?> ?>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.