PHP将不会插入MySQL，没有错误

Question

$sql = "INSERT INTO $table_name VALUES
('$_POST[firstname]', '$_POST[lastname]', '$_POST[username]', password('$_POST[password]'), 'Users', '', '', '$pchange', 
'$_POST[email]', '$default_url', '$verify', '', 0, '', 0)";

$result = @mysql_query($sql,$connection) or die(mysql_error());

$sql, $connection and $table_name are all valid and are used previously in the script and the database, this is how my database looks like:

firstname   varchar(20) latin1_swedish_ci       Yes NULL          Change      Drop   More 
lastname    varchar(20) latin1_swedish_ci       Yes NULL          Change      Drop   More 
username    varchar(20) latin1_swedish_ci       Yes NULL          Change      Drop   More 
password    varchar(50) latin1_swedish_ci       Yes NULL          Change      Drop   More 
group1      varchar(20) latin1_swedish_ci       Yes NULL          Change      Drop   More 
group2      varchar(20) latin1_swedish_ci       Yes NULL          Change      Drop   More 
group3      varchar(20) latin1_swedish_ci       Yes NULL          Change      Drop   More 
pchange     varchar(1)  latin1_swedish_ci       Yes NULL          Change      Drop   More 
email       varchar(100)latin1_swedish_ci       Yes NULL          Change      Drop   More 
redirect    varchar(100)latin1_swedish_ci       Yes NULL          Change      Drop   More 
verified    varchar(1)  latin1_swedish_ci       Yes NULL          Change      Drop   More 
last_login  date                                Yes NULL          Change      Drop   More 
balance     double      UNSIGNED                Yes 0             Change      Drop   More 
address     varchar(60) latin1_swedish_ci       Yes NULL          Change      Drop   More 
lostbalance double                              Yes 0             Change      Drop   More 

Thanks in advance.

Answer 1

No error because of @:

@mysql_query($sql,$connection) or die(mysql_error());

The @ suppresses the errors from the mysql_query() function.

I see multiple errors in your statements:

1. '$_POST[firstname]' - is suppossed to be $_POST['firstname'] . Store the value in a variable or use concatenation: "'.$_POST['firstname'].'"

2. Use mysql_query($sql) or die(mysql_error());

3. Escape all the data you are storing in the db.

Answer 2

First of all, it is not good security practice to leave any user input unfiltered, because soon you will be victim of SQL injection and/or XSS attacks. You should filter your user input this way:

$var = filter_var($_POST['var']), FILTER_SANITIZE_STRING);

Then you should use this $var in your SQL query, instead of directly using the $_POST['var']. ie:

$sql = "INSERT INTO $table_name VALUES
('$firstname', '$lastname', '$username', password('$password'), 'Users', '', '', '$pchange', 
'$email', '$default_url', '$verify', '', 0, '', 0)";

Answer 3

您必须在“ VALUES”前面命名表列

INSERT INTO $table_name (field_1, field2, ...) VALUES ($_POST_1, ...)