PHP表单到SQL错误
我正在尝试从表单写入SQL数据库。这都是本地通过WAMP,如果这有区别的话 我收到的错误如下:PHP表单到SQL错误,php,mysql,Php,Mysql,我正在尝试从表单写入SQL数据库。这都是本地通过WAMP,如果这有区别的话 我收到的错误如下: Error: INSERT INTO customers (yard, full_address, business_name, business_status, first_name, last_name, landline_number, mobile_number, email_address) VALUES ('Dominic', '123 Fake Street', 'Dom's Busin
Error: INSERT INTO customers (yard, full_address, business_name, business_status, first_name, last_name, landline_number, mobile_number, email_address) VALUES ('Dominic', '123 Fake Street', 'Dom's Business Name', '', 'Dominic', 'Fichera', 0123456789', '0123456789', '')
Erreur de syntaxe pr�s de 's Business Name', '', 'Dominic', 'Fichera', 0123456789', '0123456789', '')' � la ligne 2
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "login";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (empty($_POST["yard"])) {
$yard_error = "Yard is required";
} else {
$yard = test_input($_POST["yard"]);
}
if (empty($_POST["full_address"])) {
$full_address_error = "Address is required";
} else {
$full_address = test_input($_POST["full_address"]);
}
if (empty($_POST["first_name"])) {
$first_name_error = "First name is required";
} else {
$first_name = test_input($_POST["first_name"]);
}
if (empty($_POST["last_name"])) {
$last_name_error = "Last name is required";
} else {
$last_name = test_input($_POST["last_name"]);
}
if ($_POST["business_status"] = "") {
$business_status_error = "Business status is required";
} else {
$business_status = test_input($_POST["business_status"]);
}
$business_name = $_POST["business_name"];
$landline_number = $_POST["landline_number"];
$mobile_number = $_POST["mobile_number"];
$email_address = $_POST["email_address"];
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "INSERT INTO customers (yard, full_address, business_name, business_status, first_name, last_name, landline_number, mobile_number, email_address)
VALUES ('$yard', '$full_address', '$business_name', '$business_status', '$first_name', '$last_name', $landline_number', '$mobile_number', '$business_status')";
if ($conn->query($sql) === TRUE) {
$yard_confirmation = $yard . "successfully saved.";
} else {
$yard_confirmation = "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
$servername=“localhost”;
$username=“root”;
$password=“”;
$dbname=“login”;
如果($\服务器[“请求\方法”]=“发布”){
如果(空($_POST[“yard”])){
$yard\u error=“需要码”;
}否则{
$yard=测试输入($u POST[“yard”]);
}
如果(空($_POST[“完整地址”])){
$full\u address\u error=“地址是必需的”;
}否则{
$full_address=测试输入($_POST[“full_address”]);
}
if(空($\u POST[“first\u name”])){
$first\U name\U error=“需要名字”;
}否则{
$first_name=测试输入($_POST[“first_name”]);
}
if(空($_POST[“last_name”])){
$last\u name\u error=“姓氏是必需的”;
}否则{
$last_name=测试输入($_POST[“last_name”]);
}
如果($\u POST[“业务状态”]=“”){
$business\u status\u error=“需要业务状态”;
}否则{
$business_status=测试_输入($_POST[“business_status”]);
}
$business\u name=$\u POST[“business\u name”];
$landline\U number=$\U POST[“landline\U number”];
$mobile_number=$_POST[“mobile_number”];
$email\u address=$\u POST[“email\u address”];
//创建连接
$conn=newmysqli($servername、$username、$password、$dbname);
//检查连接
如果($conn->connect\u错误){
die(“连接失败:”.$conn->connect\U错误);
}
$sql=“插入客户(码、完整地址、企业名称、企业状态、名字、姓氏、固定电话号码、手机号码、电子邮件地址)
值(“$yard”、“$full_address”、“$business_name”、“$business_status”、“$first_name”、“$last_name”、$landline_number”、“$mobile_number”、“$business_status”);
if($conn->query($sql)==TRUE){
$yard\u confirmation=$yard.“已成功保存。”;
}否则{
$yard\u confirmation=“Error:”.$sql。“
”$conn->错误;
}
$conn->close();
}
功能测试输入($data){
$data=修剪($data);
$data=条带斜杠($data);
$data=htmlspecialchars($data);
返回$data;
}
“Dom的业务名称”无效,您需要转义:
'Dom\'s Business Name'
请考虑使用准备好的语句。
你SQL注入了你自己的数据库LOL。虽然你有一个函数添加了名为“代码> TestInEnter())的斜杠>代码>你忘记在某些地方使用它。改变这些:
$business_name = $_POST["business_name"];
$landline_number = $_POST["landline_number"];
$mobile_number = $_POST["mobile_number"];
$email_address = $_POST["email_address"];
对这些:
$business_name = test_input($_POST["business_name"]);
$landline_number = test_input($_POST["landline_number"]);
$mobile_number = test_input($_POST["mobile_number"]);
$email_address = test_input($_POST["email_address"]);
我鼓励阅读。在您的查询中,您列出的值中,“$landline\u number”
之前缺少一个引号
另外,由于您没有使用准备好的语句,我强烈建议您对所有用户提交的变量使用mysqli\u real\u escape\u string()
,以防止注入。例如:
$variable = mysqli_real_escape_string($conn, $_POST['variable']);
考虑这个php函数,并在保存到数据库之前准备好字符串。正如其他人所说,问题在于企业名称中的撇号,但可能是其他需要转义的字符。最糟糕的是,您的代码可能成为SQL注入的牺牲品
对于解决方案,行:
$business_name = $_POST["business_name"];
应通过以下方式进行更改:
if ($_POST["business_name"] = "") {
$business_name_error = "Business name is required";
} else {
$business_name = test_input($_POST["business_name"]);
}
以下三行应该以同样的方式进行更改。我建议这样做:
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
以及:
(对每个$u POST变量执行相同的行)
基本上,它是一行中的if/else语句(减少混乱)。如果$\u POST[“business\u name”]中有数据,那么$business\u name将通过test\u输入解析该值-如果它没有值,那么errors数组将获得一个新值
检查并解析所有值后,您可以执行以下操作:
if(empty($errors)) {
//If there are no errors, continue inserting
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "INSERT INTO customers (yard, full_address, business_name, business_status, first_name, last_name, landline_number, mobile_number, email_address) VALUES ('$yard', '$full_address', '$business_name', '$business_status', '$first_name', '$last_name', $landline_number', '$mobile_number', '$business_status')";
if ($conn->query($sql) === TRUE) {
$yard_confirmation = $yard . "successfully saved.";
} else {
$yard_confirmation = "Error: " . $sql . "<br>" . $conn->error;
}
} else {
foreach($errors as $error) {
echo $error."<br />";
}
}
if(空($errors)){
//如果没有错误,请继续插入
$conn=newmysqli($servername、$username、$password、$dbname);
如果($conn->connect\u错误){
die(“连接失败:”.$conn->connect\U错误);
}
$sql=“在客户(码、完整地址、业务名称、业务状态、名字、姓氏、固定电话号码、手机号码、电子邮件地址)中插入值(“$码”、“完整地址”、“业务名称”、“业务状态”、“第一名称”、“姓氏”、“固定电话号码”、“移动电话号码”、“业务状态”)”;
if($conn->query($sql)==TRUE){
$yard\u confirmation=$yard.“已成功保存。”;
}否则{
$yard\u confirmation=“Error:”.$sql。“
”$conn->错误;
}
}否则{
foreach($errors作为$error){
echo$错误。“
”;
}
}
不过,我绝对推荐使用PDO,它允许您将值绑定到查询 您需要转义用户输入。这就是为什么会出现错误“Dom的企业名称”测试输入$Business\u nameif(empty($errors)) {
//If there are no errors, continue inserting
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "INSERT INTO customers (yard, full_address, business_name, business_status, first_name, last_name, landline_number, mobile_number, email_address) VALUES ('$yard', '$full_address', '$business_name', '$business_status', '$first_name', '$last_name', $landline_number', '$mobile_number', '$business_status')";
if ($conn->query($sql) === TRUE) {
$yard_confirmation = $yard . "successfully saved.";
} else {
$yard_confirmation = "Error: " . $sql . "<br>" . $conn->error;
}
} else {
foreach($errors as $error) {
echo $error."<br />";
}
}