我一直收到语法错误,我不知道什么是错的。我可以不拨打预定的字符串吗?
$sqlstring= "INSERT INTO friends (friend_id , friend_email , password , profile_name , date_started , num_of_friends)
VALUES (NULL , $email, $password, $name, CURDATE() , 0);";
答案 0 :(得分:2)
如果$email, $password, $name都是varchar或string,则需要用单引号将它们包装起来。
$sqlstring= "INSERT INTO friends (friend_id , friend_email , password ,
profile_name , date_started , num_of_friends)
VALUES (NULL , '$email', '$password', '$name', CURDATE() , 0)";
您的查询对SQL Injection有效,请花点时间阅读以下文章以免SQL Injction
答案 1 :(得分:1)
使用引号删除最后一个分号和环绕值。
$sqlstring= "INSERT INTO friends (friend_id , friend_email , password , profile_name , date_started , num_of_friends)
VALUES (NULL , '$email', '$password', '$name', CURDATE() , 0)";
答案 2 :(得分:0)
如果您接受查询中的用户输入,则将其简单地添加到SQL语句中是非常危险的。
如果您使用的是现代PHP,那么use PDO to prepare your statement ...
$sth = $dbh->prepare('INSERT INTO friends (friend_id , friend_email , password , profile_name , date_started , num_of_friends)
VALUES (NULL , ?, ?, ?, CURDATE() , 0)');
$sth->execute(array($email, $password, $name));
或者,如果你想坚持旧学校,逃避他们:
$sqlstring = sprintf('INSERT INTO friends (friend_id , friend_email , password , profile_name , date_started , num_of_friends) VALUES (NULL , %s, %s, %s, CURDATE() , 0)',
mysql_real_escape_string($email),
mysql_real_escape_string($password),
mysql_real_escape_string($name)
);
答案 3 :(得分:0)
您更新的查询是:
$sqlstring = "INSERT INTO friends (friend_id , friend_email , password , profile_name , date_started , num_of_friends) VALUES (NULL , '$email', '$password', '$name', CURDATE() , 0)";