如何在sql查询中插入php变量?
[英]How can I insert php variables in a sql query?
问题描述
I've found a lot of answers for this that don't seem to work for me. 
我已经找到了很多答案,这些答案似乎对我不起作用。 When I have apostrophes around the variables $message and $email and $date like 当我在变量$ message和$ email和$ date周围加撇号时
'VALUES ('$message', '$email', '$date')';
it tells me 它告诉我
Parse error: syntax error, unexpected '$message' (T_VARIABLE)
When I remove them, I get something like Could not enter data: Unknown column '$message' in 'field list'. 删除它们后,我得到类似“无法输入数据”的信息:“字段列表”中的未知列“ $ message”。 I've tried to insert 我尝试插入
$message = mysql_real_escape_string($message);
$email = mysql_real_escape_string($email);
$date = mysql_real_escape_string($date);
with " " around the variables like 在变量之类的附近加上“”
'VALUES ("$message", "$email", "$date")';
which gets rid of the error message but now, instead of the input from the html form, i'm getting literally "$message" in my database. 它摆脱了错误消息,但是现在,我从数据库中获取了字面上的“ $ message”,而不是html表单的输入。
What is it that I'm doing wrong? 我做错了什么事? My simple objective is just to take an email, a message, and the date, and put it in a database. 我的简单目标只是获取电子邮件,消息和日期,并将其放入数据库中。 Please help! 请帮忙! Thank you! 谢谢!
Here is the complete code I have: 这是我拥有的完整代码:
<?php
if($_POST && isset($_POST['email'], $_POST['essay'])) {
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = 'password';
$conn=mysql_connect($dbhost, $dbuser);
if(! $conn)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("Ink", $conn);
date_default_timezone_set("America/New_York");
$message = $_POST['essay'];
$email = $_POST['email'];
$date = date("y-m-d h:i:sa");
$sql = 'INSERT INTO inktable '.
'(writings, email, date) '.
'VALUES ('$message', '$email', '$date')';
mysql_select_db('ink');
$retval = mysql_query($sql, $conn);
if(! $retval)
{
die('Could not enter data: ' .mysql_error());
}
mysql_close($conn);
}
?>
2 个解决方案
解决方案1
4 2015-02-12 07:52:15
I think you need those little dots: 我认为您需要这些小点:
('.$message.', '.$email.', '.$date.')';
Or: 要么:
("'.$message.'", "'.$email.'", "'.$date.'")';
解决方案2
1 2015-02-12 07:54:48
Also, it is better to use the PDO, as the easiest way to minimize problems I think ;) Using prepared statements, you can minimize the risk of SQL injections, as Biffen said. 同样,最好使用PDO,这是最小化我认为的问题的最简单方法;)使用准备好的语句,可以最大程度地减少SQL注入的风险,如Biffen所说。
http://php.net/manual/en/ref.pdo-mysql.php http://php.net/manual/en/ref.pdo-mysql.php
For example, your code with PDO: 例如,使用PDO的代码:
<?php
if($_POST && isset($_POST['email'], $_POST['essay'])) {
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = 'password';
$dbname = 'Ink';
date_default_timezone_set("America/New_York");
try {
// Try to connect
$dbh = new PDO('mysql:host='.$dbhost.';dbname='.$dbname, $dbuser, $dbpass);
// Data
$message = $_POST['essay'];
$email = $_POST['email'];
$date = date("y-m-d h:i:sa");
// query
$sql = "INSERT INTO inktable (message,email,date) VALUES (:message,:email,:date)";
$q = $dbh->prepare($sql);
$q->execute(array(':message'=>$message,
':email'=>$email,
':date'=>$date));
// Null connection
$dbh = null;
} catch (PDOException $e) { // if exception
print "Error!: " . $e->getMessage() . "<br/>";
die();
}
?>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.