PHP的SQL插入问题
我有下面的代码将数据插入数据库,但当插入数据时,有时它会成功插入,而大多数时候它会给我以下错误。 无法输入数据:您的SQL语法有错误;请查看与MySQL服务器版本对应的手册,以了解第1行中使用“first name?”、“Kabul Janm”、“Afghanistan”、“Kabul”、“Kabul”、“1985-03-26”、“Mal”的正确语法 有人能帮我吗,我需要它稳定,代码如下PHP的SQL插入问题,php,mysql,sql,database,Php,Mysql,Sql,Database,我有下面的代码将数据插入数据库,但当插入数据时,有时它会成功插入,而大多数时候它会给我以下错误。 无法输入数据:您的SQL语法有错误;请查看与MySQL服务器版本对应的手册,以了解第1行中使用“first name?”、“Kabul Janm”、“Afghanistan”、“Kabul”、“Kabul”、“1985-03-26”、“Mal”的正确语法 有人能帮我吗,我需要它稳定,代码如下 <html> <head> <title>Add New Recor
<html>
<head>
<title>Add New Record in MySQL Database</title>
<script src="SpryAssets/SpryCollapsiblePanel.js" type="text/javascript"></script>
<script src="SpryAssets/SpryTabbedPanels.js" type="text/javascript"></script>
<link href="SpryAssets/SpryCollapsiblePanel.css" rel="stylesheet" type="text/css" />
</head>
<body>
<?php
include_once ('top.php');
?>
<?php
include '/Connections/conn.php';
if(isset($_POST['add']))
{
if(! $conn )
{
die('Could not connect: ' . mysql_error());
}
if(! get_magic_quotes_gpc() )
{
$first_name = addslashes ($_POST['first_name']);
$last_name = addslashes ($_POST['last_name']);
}
else
{
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
}
$email_address = $_POST['email_address'];
$phone_no = $_POST['Phone_no'];
$user_name = $_POST['user_name'];
$password = $_POST['password'];
$sec_question = $_POST['sec_question'];
$Answer = $_POST['Answer'];
$Country = $_POST['Country'];
$State = $_POST['State'];
$city = $_POST['city'];
$date_birth = $_POST['date_birth'];
$gender = $_POST['gender'];
$sql = "INSERT INTO users(first_name, last_name, email_address, Phone_no, user_name, password, sec_question, Answer, Country, State, city, date_birth, gender) VALUES('$first_name', '$last_name', '$email_address', '$phone_no', '$user_name', '$password', '$sec_question', '$Answer', '$Country', '$State', '$city', '$date_birth', '$gender')";
$dbname;
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
die('Could not enter data: ' . mysql_error());
}
header("Location: /thank.php");
//echo "<center>Thanks for registration in Mashwani Info Tech Free Online Trainings (MOFT)</center>\n";
mysql_close($conn);
}
else
{
?>
<script src="SpryAssets/SpryValidationTextField.js" type="text/javascript"></script>
<link href="SpryAssets/SpryValidationTextField.css" rel="stylesheet" type="text/css" />
<link href="SpryAssets/SpryValidationPassword.css" rel="stylesheet" type="text/css" />
<link href="SpryAssets/SpryValidationConfirm.css" rel="stylesheet" type="text/css" />
<link href="SpryAssets/SpryValidationSelect.css" rel="stylesheet" type="text/css" />
<script src="SpryAssets/SpryValidationPassword.js" type="text/javascript"></script>
<script src="SpryAssets/SpryValidationConfirm.js" type="text/javascript"></script>
<script src="SpryAssets/SpryValidationSelect.js" type="text/javascript"></script>
<table width="100%" background="/Images/gradient_medium.jpg">
<tr>
<td width="100%" height="34">
<!--<center> <marquee behavior="Scroll" width="100%" scrollamount="8" direction="Right"><img src="/Images/mtn.jpg" /> <img src="/Images/mtn1.jpg" /></marquee> </center>
-->
</td>
</tr>
</table>
<table width="100%" align="center" bgcolor="#ECF5F0" border="0">
<tr valign="bottom"> <td height="25"><p> </p>
<form action="<?php $_PHP_SELF?>" method="post" name="form1" id="form1">
<table align="center" border="1">
<tr valign="baseline">
<td colspan="2" align="left" nowrap="nowrap" bordercolor="#CCCC33">First Name</td>
<td width="388"><span id="sprytextfield1">
<input type="text" name="first_name" value="" size="37" id="first_name"/>
<span class="textfieldRequiredMsg">A value is required.</span></span></td>
</tr>
<tr valign="baseline">
<td colspan="2" align="left" nowrap="nowrap">Last Name</td>
<td><input type="text" name="last_name" id="last_name" value="" size="37" /></td>
</tr>
<tr valign="baseline">
<td colspan="2" align="left" nowrap="nowrap">Email Address</td>
<td><span id="sprytextfield2">
<input type="text" name="email_address" id="email_address" value="" size="37" />
<span class="textfieldRequiredMsg">A value is required.</span><span class="textfieldInvalidFormatMsg">Invalid format.</span></span></td>
</tr>
<tr valign="baseline">
<td colspan="2" align="left" nowrap="nowrap">Phone No <font size="-4" color="#00CC66">(0093772221521)</font></td>
<td><span id="sprytextfield3">
<input type="text" name="Phone_no" id="Phone_no" value="" size="37" />
<span class="textfieldRequiredMsg">A value is required.</span><span class="textfieldInvalidFormatMsg">Invalid format.</span></span></td>
</tr>
<tr valign="baseline">
<td colspan="2" align="left" nowrap="nowrap">User Name</td>
<td><span id="sprytextfield4">
<input type="text" name="user_name" id="user_name" value="" size="37" />
<span class="textfieldRequiredMsg">A value is required.</span></span></td>
</tr>
<tr valign="baseline">
<td colspan="2" align="left" nowrap="nowrap">Password <font size="-4" color="#00CC66">(Min 8 Charectors) </font></td>
<td><span id="pass">
<input type="password" name="password" value="" size="37" id="password" />
<span class="passwordRequiredMsg">A value is required.</span><span class="passwordInvalidStrengthMsg">The password doesn't meet the specified strength.</span></span></td>
</tr>
<tr valign="baseline">
<td colspan="2" align="left" nowrap="nowrap">Confirm Password:</td>
<td><span id="spryconfirm1">
<label for="confirm"></label>
<input name="confirm" type="password" id="confirm" size="37" />
<span class="confirmRequiredMsg">A value is required.</span><span class="confirmInvalidMsg">The values don't match.</span></span></td>
</tr>
<tr valign="baseline">
<td colspan="2" align="left" nowrap="nowrap">Secret Question</td>
<td><span id="spryselect1">
<label for="sec"></label>
<select name="sec_question" id="sec_question">
<option value="What is your fist school name?">What is your fist school name?</option>
<option value="Where did your birth happened?">Where did your birth happened?</option>
<option value="What is your father's fist name?">What is your father's fist name?</option>
<option value="Where did you get your degree?">Where did you get your degree?</option>
</select>
<span class="selectRequiredMsg">Please select an item.</span></span></td>
</tr>
<tr valign="baseline">
<td colspan="2" align="left" nowrap="nowrap">Answer for Question</td>
<td><span id="sprytextfield5">
<input type="text" name="Answer" id="Answer" value="" size="37" />
<span class="textfieldRequiredMsg">A value is required.</span></span></td>
</tr>
<tr valign="baseline">
<td width="61" rowspan="3" align="left" valign="middle" nowrap="nowrap">Address</td>
<td width="121" align="left" nowrap="nowrap">Country</td>
<td><input type="text" name="Country" id="Country" value="" size="37" /></td>
</tr>
<tr valign="baseline">
<td width="121" align="left" nowrap="nowrap">State</td>
<td><span id="sprytextfield6">
<input type="text" name="State" id="State" value="" size="37" />
<span class="textfieldRequiredMsg">A value is required.</span></span></td>
</tr>
<tr valign="baseline">
<td width="121" align="left" nowrap="nowrap">City</td>
<td><span id="sprytextfield7">
<input type="text" name="city" id="city" value="" size="37" />
<span class="textfieldRequiredMsg">A value is required.</span></span></td>
</tr>
<tr valign="baseline">
<td colspan="2" align="left" nowrap="nowrap">Date of Birth <font size="-4" color="#00CC66"> (YYYY-MM-DD) </font></td>
<td><span id="sprytextfield8">
<input type="text" name="date_birth" id="date_birth" value="" size="37" />
<span class="textfieldRequiredMsg">A value is required.</span><span class="textfieldInvalidFormatMsg">Invalid format.</span></span></td>
</tr>
<tr valign="baseline">
<td colspan="2" align="left" nowrap="nowrap">Gender</td>
<td><span id="spryselect2">
<label for="gen"></label>
<select name="gender" id="gender">
<option value="Select your gender here." selected="selected">Select your gender here.</option>
<option value="Male">Male</option>
<option value="Female">Female</option>
</select>
<span class="selectRequiredMsg">Please select an item.</span></span></td>
</tr>
</table>
<center> <input name="add" type="submit" value="Sign Up" id="add" /> </center>
<input type="hidden" name="ID" value="" />
<input type="hidden" name="admin_level" id="admin_level" value="" />
<input type="hidden" name="time_stamp" id="time_stamp" value="" />
<input type="hidden" name="MM_insert" value="form1" />
</form>
<p> </p></td>
</tr>
</table>
<?php
}
?>
<script type="text/javascript">
var sprytextfield1 = new Spry.Widget.ValidationTextField("sprytextfield1", "none", {validateOn:["blur"]});
var sprytextfield2 = new Spry.Widget.ValidationTextField("sprytextfield2", "email");
var sprytextfield3 = new Spry.Widget.ValidationTextField("sprytextfield3", "phone_number", {format:"phone_custom"});
var sprytextfield4 = new Spry.Widget.ValidationTextField("sprytextfield4");
var sprypassword1 = new Spry.Widget.ValidationPassword("pass", {minAlphaChars:1, minUpperAlphaChars:1, minSpecialChars:1, validateOn:["blur"]});
var spryconfirm1 = new Spry.Widget.ValidationConfirm("spryconfirm1", "password", {validateOn:["blur"]});
var spryselect1 = new Spry.Widget.ValidationSelect("spryselect1");
var sprytextfield5 = new Spry.Widget.ValidationTextField("sprytextfield5");
var sprytextfield6 = new Spry.Widget.ValidationTextField("sprytextfield6");
var sprytextfield7 = new Spry.Widget.ValidationTextField("sprytextfield7");
var sprytextfield8 = new Spry.Widget.ValidationTextField("sprytextfield8", "date", {format:"yyyy-mm-dd"});
var spryselect2 = new Spry.Widget.ValidationSelect("spryselect2");
var CollapsiblePanel1 = new Spry.Widget.CollapsiblePanel("CollapsiblePanel1");
</script>
<?php
include_once ('bottom.php');
?>
</body>
</html>
在MySQL数据库中添加新记录
在查询中使用数据之前,必须先转义“'”符号
发生的情况是,用户在输入字段中输入“'”,MySQL就会出错
使用预先准备好的语句自动处理该问题
这是一个很好的例子
编辑:
按如下方式编辑代码:
if(! get_magic_quotes_gpc() )
{
$first_name = addslashes ($_POST['first_name']);
$last_name = addslashes ($_POST['last_name']);
$email_address = addslashes ($_POST['email_address']);
$phone_no = addslashes ($_POST['Phone_no']);
$user_name = addslashes ($_POST['user_name']);
$password = addslashes ($_POST['password']);
$sec_question = addslashes ($_POST['sec_question']);
$Answer = addslashes ($_POST['Answer']);
$Country = addslashes ($_POST['Country']);
$State = addslashes ($_POST['State']);
$city = addslashes ($_POST['city']);
$date_birth = addslashes ($_POST['date_birth']);
$gender = addslashes ($_POST['gender']);
}
else
{
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$email_address = $_POST['email_address'];
$phone_no = $_POST['Phone_no'];
$user_name = $_POST['user_name'];
$password = $_POST['password'];
$sec_question = $_POST['sec_question'];
$Answer = $_POST['Answer'];
$Country = $_POST['Country'];
$State = $_POST['State'];
$city = $_POST['city'];
$date_birth = $_POST['date_birth'];
$gender = $_POST['gender'];
}
它应该可以防止错误。您没有正确地转义用户输入,因此任何用户输入的包含撇号的字段都会在查询中导致语法错误。这是SQL注入漏洞的根本原因。最起码你应该用<代码> MySqLRealOracle EnguleScript()/<代码>来逃避你的所有用户输入,但是你应该考虑使用准备好的语句。还要注意的是,mysql_*()
已被弃用,您不应该将其用于新代码。使用mysqli_*()
或PDO
您好,谢谢回复,但如何以及在何处放置代码转义以避免此问题。您好,谢谢回复,但如何以及在何处放置代码转义以避免此问题,亲爱的。我仍然在等待答案,因为我在MySQL和PHP中完全是新的,这就是为什么现在的想法是简短的回答,请考虑我的查询是至关重要的。我已经给了你一个快速的解决方案。此外,如果你想学习PHP,你可能想考虑下载一些电子书的例子,并遵循它。