Php 数据不会发布到MySQL数据库
以下是我得到的错误:Php 数据不会发布到MySQL数据库,php,mysql,sql,post,Php,Mysql,Sql,Post,以下是我得到的错误: SQL QUERY: INSERT INTO portfolio (portImg,portTitle,portDesc,portCat,portSkill,portDate) VALUES (IMAGE, TITLE, sadasdasd, CAT, SKILL, 2014-02-15 08:53:10) Could not enter data: You have an error in your SQL syntax; check the manual that c
SQL QUERY: INSERT INTO portfolio (portImg,portTitle,portDesc,portCat,portSkill,portDate) VALUES (IMAGE, TITLE, sadasdasd, CAT, SKILL, 2014-02-15 08:53:10)
Could not enter data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '
sadasdasd, CAT, SKILL, 2014-02-15 08:53:10)' at line 1
以下是我的PHP代码:
<?php
//if form has been submitted process it
if(isset($_POST['submit'])){
$portImg =$_POST['portImg'];
$portTitle =$_POST['portTitle'];
$desc=$_POST['portDesc'];
$portDesc = trim($desc);
$portCat=$_POST['portCat'];
$portSkill=$_POST['portSkill'];
$portDate=date('Y-m-d H:i:s');
//very basic validation
if($portImg ==''){
$error[] = 'Please enter the title.';
}
if($portTitle ==''){
$error[] = 'Please enter the title.';
}
if($portDesc ==''){
$error[] = 'Please enter the description.';
}
if($portCat ==''){
$error[] = 'Please enter the content.';
}
if($portSkill ==''){
$error[] = 'Please enter the content.';
}
if(!isset($error)){
$query="INSERT INTO portfolio (portImg,portTitle,portDesc,portCat,portSkill,portDate) VALUES ($portImg, $portTitle, $portDesc, $portCat, $portSkill, $portDate)";
echo "SQL QUERY: ".$query."<br />";
if (!mysql_query($query))
{
die('Could not enter data: ' . mysql_error());
}
echo "Entered data successfully\n";
}
//redirect to index page
header('Location: index.php?action=added');
exit;
}
//check for any errors
if(isset($error)){
foreach($error as $error){
echo '<p class="error">'.$error.'</p>';
}
}
?>
这似乎是由Textarea(描述)引起的问题。它似乎在前后增加了空间。有什么想法吗?您没有对输入进行消毒。如果现在在其中一个字符串中加上双引号(“),则将转义查询字符串,并得到一个无效查询
此外,您还有遭受XSS攻击的风险,因为任何人都可以通过这种方式随意输入查询。对于字符串字段,您必须在插入过程中用
'
括起您的值……例如:
SQL QUERY: INSERT INTO portfolio (portImg,portTitle,portDesc,portCat,portSkill,portDate)
VALUES ('IMAGE', 'TITLE', 'sadasdasd', 'CAT', 'SKILL', '2014-02-15 08:53:10')
所以你的php应该是
INSERT INTO portfolio (portImg,portTitle,portDesc,portCat,portSkill,portDate)
VALUES ('$portImg', '$portTitle', '$portDesc', '$portCat', '$portSkill', '$portDate')
将
'sadasdasd'
放在单引号中,否则SQL假定它是一个表列我猜您在描述文本区域中输入了撇号
试试这个
$portTitle = mysql_real_escape_string($portTitle) ;
$portDesc = mysql_real_escape_string($portDesc) ;
....
.....//escape other variables also like that.
然后用这个:
VALUES ('".$portImg."', '".$portTitle."', '".$portDesc."', '".$portCat."', '".$portSkill."', '".$portDate."')
哇,你的代码很容易被SQL注入攻击。请使用。如果是用于课程,请通知你的老师
mysql()
函数已被正式弃用。你可以使用mysqli()
函数或PDO(推荐)。好的url可能对你有帮助