Fatal编程技术网
  • php/
  • PHP MSSQL查询语法错误

PHP MSSQL查询语法错误

php sql-server syntax

PHP MSSQL查询语法错误,php,sql-server,syntax,Php,Sql Server,Syntax,我在mssql_查询函数中遇到语法错误问题。在尝试了一段时间不同的东西后,我想我应该把它带到这里来。谢谢你的帮助 代码如下: <?php ... $name = $_POST['name']; $contactname = $_POST['contactname']; $contacttitle = $_POST['contacttitle']; $streetaddress = $_POST['streetaddress']; $city = $_POST['city']; $state

我在mssql_查询函数中遇到语法错误问题。在尝试了一段时间不同的东西后,我想我应该把它带到这里来。谢谢你的帮助

代码如下:

<?php
...
$name = $_POST['name'];
$contactname = $_POST['contactname'];
$contacttitle = $_POST['contacttitle'];
$streetaddress = $_POST['streetaddress'];
$city = $_POST['city'];
$state = $_POST['state'];
$zipcode = $_POST['zipcode'];
$telephone = $_POST['telephone'];
$fax = $_POST['fax'];
$email = $_POST['email'];
$director = $_POST['director'];
$affiliation1 = $_POST['affiliation1'];
$address1 = $_POST['address1'];
$phone1 = $_POST['phone1'];
$affiliation2 = $_POST['affiliation2'];
$address2 = $_POST['address2'];
$phone2 = $_POST['phone2'];
$affiliation3 = $_POST['affiliation3'];
$address3 = $_POST['address3'];
$phone3 = $_POST['phone3'];
$yearsoperational = $_POST['yearsoperational'];
$donorsannually = $_POST['donorsannually'];
$limit = $_POST['limit'];
$coveraget = $_POST['coverage'];
$donors1 = $_POST['donors1'];
$claims1 = $_POST['claims1'];
$medexppaid1 = $_POST['medexppaid1'];
$donors2 = $_POST['donors2'];
$claims2 = $_POST['claims2'];
$medexppaid2 = $_POST['medexppaid2'];
$donors3 = $_POST['donors3'];
$claims3 = $_POST['claims3'];
$medexppaid3 = $_POST['medexppaid3'];
$donorinstructions = $_POST['donorinstructions'];

//Connect to MSSQL Server
$myServer = ".\MSSQLSERVER2008";
$myUser = "user";
$myPass = "password";
$myDB = "database,name"; 

//connection to the server
$dbhandle = mssql_connect($myServer, $myUser, $myPass)
  or die("Couldn't connect to SQL Server on $myServer"); 

  //select a database to work with
$selected = mssql_select_db($myDB, $dbhandle)
  or die("Couldn't open database $myDB"); 

//insert form results into database
$query = mssql_query("INSERT INTO table_name (Name_of_Center,Name,Title,Street_Address,City,State,Zipcode,Phone,Fax,Email,Director,HA1,HA1_Address,
HA1_Phone,HA2,HA2_Address,HA2_Phone,HA3,HA3_Address,HA3_Phone,No_of_Years_Operational,Donors_Annually,Limit,Coverage,
Donors_2012,Donors_2011,Donors_2010,Claims_2012,Claims_2011,Claims_2010,Med_Exp_Paid_2012,Med_Exp_Paid_2011,Med_Exp_Paid_2010,Donor_Instructions)
VALUES ($name,$contactname,$contacttitle,$streetaddress,$city,$state,$zipcode,$telephone,$fax,$email,$director,$affiliation1,$address1,$phone1,$affiliation2,
$address2,$phone2,$affiliation3,$address3,$phone3,$yearsoperational,$donorsannually,$limit,$coverage,$donors1,$claims1,$medexppaid1,$donors2,$claims2,$medexppaid2,
$donors3,$claims3,$medexppaid3,$donorinstructions);");
if(!$query){
echo 'Failed to receive data. Please try again, or contact support';
}
else{
echo 'Successfully received data.';
$results = mysql_query($query);
var_dump($results);
}

mssql_close()
?>
以下是浏览器中的错误:

Warning: mssql_query() [function.mssql-query]: message: Incorrect syntax near ','. (severity 15)

你的整个问题是你很容易受到攻击。如果您意识到了这个问题,您也会意识到为什么您的查询有这些语法错误,并且从根本上被破坏了:您忘记引用插入到查询中的每一个数据位

一个真正无法解决根本问题的快速解决方案:

VALUES ('$name','$contactname','$contacttitle',etc...
        ^-----^-^--- insert quotes everywhere.
您的代码易受攻击。你需要更新它以使用预先准备好的声明来防止你的网站被黑客攻击。我希望在我完成所有功能后就这样做,除非现在这样做更有意义。我只是没有研究过它,所以我认为它会很耗时,而且我已经到了让代码先运行的最后期限了。最后期限从来都不是编写糟糕的不安全代码的借口。无论你现在写的是什么废话,当它稍后打到你的粉丝时,都会被扔回你的脸上。 
VALUES ('$name','$contactname','$contacttitle',etc...
        ^-----^-^--- insert quotes everywhere.