无效的查询:您的SQL语法有误
[英]Invalid query: You have an error in your SQL syntax
问题描述
<?php
mysql_connect("mysql6.000webhost.com","a6124751_murali1","***");
$db= mysql_select_db("a6124751_signup");
$topic=$_GET["Topic"];
$question=$_GET["Question"];
$company =$_GET["Company"];
$query = "INSERT INTO questions (topic, question, company) VALUES ($topic, $question, $company)";
$sql1=mysql_query($query);
if (!$sql1) {
die('Invalid query: ' . mysql_error());
}
?>
this is my php code in server where there is a table named 'questions' and i am trying to insert the data into it from the input got from the GET method using form at front end, i can figure out that data is coming properly from the client which i have checked using echo. 
这是我在服务器中的php代码,其中有一个名为“ questions”的表,我正尝试使用前端表单从GET方法获得的输入中将数据插入其中,我可以弄清楚数据是否正确地来自我已经使用echo检查的客户端。 I am getting an error as 我收到一个错误
You have an error in your SQL syntax;
Don't know what is the error in the query. 不知道查询中有什么错误。 anyone find it out asap. 任何人都尽快发现它。 thank you 谢谢
3 个解决方案
解决方案1
5 已采纳 2015-07-22 05:13:51
You need to quote your values 您需要引用您的价值观
('$topic', '$question', '$company')
since those are strings. 因为这些是字符串。
Plus, you should escape your data for a few reasons. 另外,出于某些原因,您应该转义数据。 Not let MySQL complain about certain characters such as hyphens etc., and to protect against SQL injection. 不要让MySQL抱怨某些字符,例如连字符等,并防止SQL注入。
Use prepared statements: 使用准备好的语句:
Reference(s): 参考文献:
- https://en.wikipedia.org/wiki/SQL_injection https://zh.wikipedia.org/wiki/SQL_injection
- How can I prevent SQL injection in PHP? 如何防止PHP中进行SQL注入?
- http://php.net/manual/en/function.mysql-real-escape-string.php http://php.net/manual/zh/function.mysql-real-escape-string.php
Edit: 编辑:
As an example using your present MySQL API: 例如,使用您当前的MySQL API:
$topic = mysql_real_escape_string($_GET['topic']);
$question = mysql_real_escape_string($_GET['question']);
$company = mysql_real_escape_string($_GET['company']);
I don't know what your inputs are called, so that's just an example. 我不知道您的输入被称为什么,所以这只是一个例子。
You mentioned about using $_GET for debugging but using a POST method. 您提到使用$_GET进行调试,但使用POST方法。
- Change all
$_GETto$_POSTabove.将所有$_GET更改$_GET上面的$_POST。
解决方案2
1 2015-07-22 05:21:26
Try this 尝试这个
<?php
$db = mysqli_connect('mysql6.000webhost.com', 'a6124751_murali1', 'default@123', 'a6124751_signup');
if (!$db) {
die('Connect Error (' . mysqli_connect_errno() . ') '
. mysqli_connect_error());
}
$topic = $_GET["Topic"];
$question = $_GET["Question"];
$company = $_GET["Company"];
$query = "INSERT INTO questions (topic, question, company) VALUES ('$topic', '$question', '$company')";
$sql1=mysqli_query($db, $query);
if(!$sql1)
{
die('Invalid query: ' . mysqli_error($db));
}
?>
Fixes in your code 修正您的代码
The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead
mysql扩展名已弃用,以后将被删除:改用mysqli或PDO You need to quote your values
('$topic', '$question', '$company')您需要引用您的值('$topic', '$question', '$company')
解决方案3
0 2015-07-22 05:14:54
You have to put the values in single qoutes, if that are char types: 如果是char类型,则必须将值放在单个qoutes中:
$query = "INSERT INTO questions (topic, question, company) VALUES ('$topic', '$question', '$company')";
But you should not longer use the deprecated mysql_* API. 但是,您不应再使用已弃用的mysql_* API。 Use mysqli_* or PDO with prepared statements. 将mysqli_*或PDO与已准备好的语句一起使用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.