我遇到一些小问题,当我在论坛上提交数据时,我收到此错误:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Explain, Country, IP, Hostname)
我的代码是:
$STH = $DBH->prepare("INSERT INTO `Applications` (`Username`, `Email`, `Age`, `Reason`, `Explain`, `Country`, `IP`, `Hostname`) VALUES ($username, $email, $age, $reason, $explain, $country, $ip, $hostname)");
$STH->execute();
我似乎无法找到问题。
答案 0 :(得分:2)
您没有正确使用PDO,造成大量SQL注入问题。放入SQL的值需要正确转义。
placeholder method指示这样做:
$STH = $DBH->prepare("INSERT INTO `Applications` (`Username`, `Email`, `Age`, `Reason`, `Explain`, `Country`, `IP`, `Hostname`) VALUES (:username, :email, :age, :reason, :explain, :country, :ip, :hostname)");
$STH->bindParam(':username', $username);
$STH->bindParam(':email', $email);
... (remaining columns) ..
$STH->bindParam(':hostname', $hostname);
$STH->execute();
这是确保您的SQL为properly escaped的最佳方法。