我的php表单提交到mysql不会'；如果文本之间只有一个引号，则不起作用

这是我的html页面：

<form method="post">
<input type="hidden" name="user" readonly="readonly" value="<?php echo $session->username;?>">
<input placeholder="TAS Code" class="input-text" type="text" name="customerCode" id="name" />
<textarea type="text" placeholder="Comments" style="width: 500px;" wrap="hard" class="input-text" name="comments" id="email"/></textarea>
<input type="submit" value="Submit" class="btn-u btn-u-small" name="submit" id="comment-submit" />
</form>

最后是我的web.php来处理表单内容

$mysqli =mysqli_connect("localhost","pf_sales","pfsal3s","pf_sales");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}
$webbox = $_POST['web'];
 $codebox=$_POST['customerCode'];
 $commentbox=$_POST['comments'];
 $discount=$_POST['discount'];
 $task=$_POST['taskbox'];
 $clear=$_POST['clearbox'];
  $user=$_POST['user'];


if ($codebox !="" && $commentbox !="" && $webbox!="" && $discount!="")
{
$query  = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET web = ('$_POST[web]'),discount=('$_POST[discount]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
if ($codebox !="" && $commentbox !="" && $webbox!="")
{
$query  = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET web = ('$_POST[web]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
if ($codebox !="" && $commentbox !="" && $task!="")
{
$query  = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET taskFor=('$_POST[taskbox]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
else if ($codebox!="" && $commentbox!="" && $user!="")
 {
    $query ="INSERT INTO commentstable (user, customerCode, comments) VALUES ('$_POST[user]', '$_POST[customerCode]', '$_POST[comments]');";
    if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());

}
 $mysqli->close();
 }

 else if ($codebox!="" && $webbox!="" )
 {
    $query ="UPDATE webdiscount SET web = ('$_POST[web]') where customerCode = ('$_POST[customerCode]');";
    if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());

}
 $mysqli->close();
 }
 else if ($codebox!="" && $discount!="" )
 {
    $query ="UPDATE webdiscount SET discount=('$_POST[discount]') where customerCode = ('$_POST[customerCode]'); ";
    if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());

}
 $mysqli->close();
 }
else if ($codebox !="" && $task!="")
{

$query = "UPDATE webdiscount SET taskFor=('$_POST[taskbox]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
else if ($codebox !="" && $clear=="done")
{

$query = "UPDATE webdiscount SET taskFor='' where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();

因此，当我们放置代码和注释时，它应该更新注释表。只要我们不在文本中使用单引号，它就可以正常工作。i、 若我们写“我们并没有这样做”，那个么表单不会更新数据库

---

任何帮助都将不胜感激。谢谢

使用

mysqli\u real\u escape\u string（）

Read

所以代码应该是

$codebox=mysqli_real_escape_string($con, $_POST['customerCode']);

---

等等。

使用

mysqli\u real\u escape\u string（）

问题是因为您将未转换的单引号传递给SQL查询。例如，如果
$\u POST['customerCode']
包含
我们没有这样做
您的查询将如下所示：

INSERT INTO commentstable (customerCode, comments) VALUES ('We didn't do this', '…')

您看到了扭曲SQL语句的额外引号吗？您可以使用
mysqli:：real\u escape\u string
或更好的方法，通过切换到准备好的语句来防止这种情况。您的查询将如下所示：

$query = "INSERT INTO commentstable (customerCode, comments) VALUES (?, ?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param('is', $_POST['customerCode'], $_POST['comments']);
$stmt->execute();

顺便说一句，您应该使用
isset
或
empty
检查这些POST变量是否存在，否则如果这些变量未通过，您将收到错误。
请切换到以防止。这也将解决您的问题。不，不要将
mysql\u*
函数与
mysqli\u*
函数混合使用。最好使用准备好的语句。这将是mysqli\u real\u escape\u字符串，因为他正在使用mysqli库。这也是错误的正确解决方案。准备好的语句将其更改为mysqli。@MarcelKorpel请在语法中指定错误。从技术上讲，答案是错误的。根据，在使用程序样式时，应将连接作为第一个参数传递。
INSERT INTO commentstable (customerCode, comments) VALUES ('We didn't do this', '…')

$query = "INSERT INTO commentstable (customerCode, comments) VALUES (?, ?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param('is', $_POST['customerCode'], $_POST['comments']);
$stmt->execute();