[英]How do I correct this PHP syntax
I created a Form with inputs named name, and msg; 我创建了一个表单,其中包含名为name和msg的输入;
I have: 我有:
$q /* My SQL query */ = "INSERT INTO posts ('NOW(),$_POST['name'],$_POST['msg']')";
in my PHP; 在我的PHP中; after deploying the file I get a 500 error.
部署文件后,出现500错误。
I know this code is bugged because after taking it out the page loads fine. 我知道此代码存在错误,因为将其取出后页面加载正常。 How do I fix it, I'm guessing its to do with quotation marks?
我如何解决它,我猜它与引号有关吗?
I think I could concatenate the posted data - using periods - instead of inputting straight into the string, but isn't it possible to do it in the cleaner, nicer, way? 我想我可以使用句号连接发布的数据,而不是直接输入字符串,但是,是否有可能以一种更简洁,更好的方式来完成呢?
The issue does have to do with quotes. 这个问题确实与引号有关。 Here is a way to fix it:
这是一种解决方法:
$q = "INSERT INTO posts (NOW(), '{$_POST['name']}', '{$_POST['msg']}')";
Note that it is extremely important to use prepared statements when dealing with user input to prevent SQL injections.
请注意,在处理用户输入时使用预处理语句以防止SQL注入非常重要。
The PHP manual includes a great page on prepared statements . PHP手册包含有关准备好的语句的精彩页面 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.