非常简单的MySQL查询无法正常工作

Question

I'm trying to execute this:

$result = mysql_query("INSERT INTO timesheet (project_no,user,cust_name,notes,duration) VALUES("'".$_POST['project']."', '".$_POST['user']."', '".$_POST['cust']."', '".$_POST['notes']."', '".$_POST['duration']."'")") or die(mysql_error());

I'm aware of SQL injection. But for now can anyone spot the issues with apostrophes, speech marks etc??

Answer 1

使用准备好的声明http://www.petefreitag.com/item/356.cfm

Answer 2

The apostrophes were not correct.

$result = mysql_query("INSERT INTO timesheet (project_no,user,cust_name,notes,duration) VALUES('".$_POST['project']."', '".$_POST['user']."', '".$_POST['cust']."', '".$_POST['notes']."', '".$_POST['duration']."')") or die(mysql_error());

The mistake was in the beginning in "values" and on the closing bracket inside the query string. Use an editor with syntax highlighting, that would've already showed the problem.

Answer 3

Unending lines filled with parts of strings and variables concatenated with dots is one of the most horrible habits of too many PHP programmers. Do your future self a favor and write readable code. Sticking with this example (ignoring all its other problems) use other variables to hold the values (which in the real world you'll need anyway since you're not going to directly use $_POST I hope) and write something like this:

$sql = "INSERT INTO timesheet (project_no,user,cust_name,notes,duration)
        VALUES('$project', '$user', '$cust', '$notes', '$duration')";

$result = mysql_query($sql) or die(mysql_error());

no more quotes open/close madness, no more 239 chars line, way more readable and maintainable.

Answer 4

I think double quote and closing apostrophes issue. Try this:

$result = mysql_query("INSERT INTO timesheet (project_no,user,cust_name,notes,duration) VALUES('".$_POST['project']."', '".$_POST['user']."', '".$_POST['cust']."', '".$_POST['notes']."', '".$_POST['duration']."')") or die(mysql_error());