[英]Data will not post to MySQL Database
這是我得到的錯誤:
SQL QUERY: INSERT INTO portfolio (portImg,portTitle,portDesc,portCat,portSkill,portDate) VALUES (IMAGE, TITLE, sadasdasd, CAT, SKILL, 2014-02-15 08:53:10)
Could not enter data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '
sadasdasd, CAT, SKILL, 2014-02-15 08:53:10)' at line 1
這是我的PHP代碼:
<?php
//if form has been submitted process it
if(isset($_POST['submit'])){
$portImg =$_POST['portImg'];
$portTitle =$_POST['portTitle'];
$desc=$_POST['portDesc'];
$portDesc = trim($desc);
$portCat=$_POST['portCat'];
$portSkill=$_POST['portSkill'];
$portDate=date('Y-m-d H:i:s');
//very basic validation
if($portImg ==''){
$error[] = 'Please enter the title.';
}
if($portTitle ==''){
$error[] = 'Please enter the title.';
}
if($portDesc ==''){
$error[] = 'Please enter the description.';
}
if($portCat ==''){
$error[] = 'Please enter the content.';
}
if($portSkill ==''){
$error[] = 'Please enter the content.';
}
if(!isset($error)){
$query="INSERT INTO portfolio (portImg,portTitle,portDesc,portCat,portSkill,portDate) VALUES ($portImg, $portTitle, $portDesc, $portCat, $portSkill, $portDate)";
echo "SQL QUERY: ".$query."<br />";
if (!mysql_query($query))
{
die('Could not enter data: ' . mysql_error());
}
echo "Entered data successfully\n";
}
//redirect to index page
header('Location: index.php?action=added');
exit;
}
//check for any errors
if(isset($error)){
foreach($error as $error){
echo '<p class="error">'.$error.'</p>';
}
}
?>
這似乎是由Textarea(描述)引起的問題。 它似乎在增加前后的空間。 有任何想法嗎?
對於字符串字段,在插入過程中必須將值用'
括起來...
SQL QUERY: INSERT INTO portfolio (portImg,portTitle,portDesc,portCat,portSkill,portDate)
VALUES ('IMAGE', 'TITLE', 'sadasdasd', 'CAT', 'SKILL', '2014-02-15 08:53:10')
所以你的PHP應該是
INSERT INTO portfolio (portImg,portTitle,portDesc,portCat,portSkill,portDate)
VALUES ('$portImg', '$portTitle', '$portDesc', '$portCat', '$portSkill', '$portDate')
您沒有在清理輸入內容。 如果現在在其中一個字符串中加上雙引號(“),則查詢字符串將被轉義,並且您將獲得無效的查詢。
此外,您冒着XSS攻擊的風險,因為任何人都可以以這種方式隨意輸入查詢。
將'sadasdasd'
放在單引號中,否則SQL會將其假定為表列
我想您已經在描述文字區域輸入了撇號
試試這個
$portTitle = mysql_real_escape_string($portTitle) ;
$portDesc = mysql_real_escape_string($portDesc) ;
....
.....//escape other variables also like that.
然后使用這個:
VALUES ('".$portImg."', '".$portTitle."', '".$portDesc."', '".$portCat."', '".$portSkill."', '".$portDate."')
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.