function insertVisitorInfoSignIn($att_id, $card_no, $purpose, $block, $level, $staff_email, $pa_email, $staff_id,$dept_id){
$time_in = getTime();
$sql = "insert into visitor_history (att_id, card_no, time_in, purpose, block, level, staff_email, pa_email, staff_id,dept_id)
values ($att_id, '$card_no', '$time_in', '$purpose', '$block', '$level', '$staff_email', '$pa_email', $staff_id,$dept_id)";
$rs = mysql_query($sql) or die ("Error in function insertVisitorInfoSignIn ");
}
答案 0 :(得分:1)
这就是你正在使用的:
$sql = "insert into visitor_history
( att_id, card_no, time_in, purpose, block,
level, staff_email, pa_email, staff_id, dept_id)
values ( $att_id, '$card_no', '$time_in', '$purpose', '$block',
'$level', '$staff_email', '$pa_email', $staff_id, $dept_id)";
应该是这样的:
$sql = "insert into visitor_history
( att_id, card_no, time_in, purpose, block,
level, staff_email, pa_email, staff_id,dept_id)
values ( '$att_id', '$card_no', '$time_in', '$purpose', '$block',
'$level', '$staff_email', '$pa_email', '$staff_id', '$dept_id')";
在通过变量传递值时,您在查询中错过了''的某些变量。
我们建议您使用mysql_real_escape_string()来阻止您的数据库进行SQL注入,并尝试使用mysqli或PDO,因为不推荐使用mysql扩展。