出于某种原因,我的广告功能遇到了一些麻烦。嗯,每次按下添加表单上的提交按钮,我都会用简单的英语收到这个错误。
您的SQL语法有错误;检查手册 对应于您的MySQL服务器版本,以便使用正确的语法 靠近'Content here,content here',让它看起来像可读 英语。许多桌面'在第2行
现在我并没有完全说出mysql,所以这对我来说只是简洁。我想知道你们中是否有人能够理解我。问题中的代码用**突出显示,以**结尾。所有strtolower / htmlentities / strip_tags都是我第一次尝试阻止sql注入和xss。对此的任何帮助也会很酷。提前谢谢。
$error = array();
//revalidate form in case javascript is disabled
if(isset($_POST['add'])){
$title = strtolower(htmlentities(strip_tags($_POST['title'])));
$price = strtolower(htmlentities(strip_tags($_POST['price'])));
$location = strtolower(htmlentities(strip_tags($_POST['location'])));
$cat = strtolower(htmlentities(strip_tags($_POST['list_one'])));
$sub = strtolower(htmlentities(strip_tags($_POST['list_two'])));
$description = htmlentities(strip_tags($_POST['description']));
$email = strtolower(htmlentities(strip_tags($_POST['email'])));
$password = strtolower(htmlentities(strip_tags($_POST['password'])));
if(empty($title) || empty($price) || empty($location) || strcmp($cat,'none') == 0
|| strcmp($sub,'none') == 0 || empty($description) || empty($email) || empty ($password)){
$error[] = 'Please fill in the form!';
}else if(!is_numeric($price)){
$error[] = 'Price must be numeric!';
}else if(!preg_match('/^[a-zA-Z0-9_]+$/', $title)){
$error[] = 'Title must be alphanumeric!';
}else if(!preg_match('/^[a-zA-Z]+$/', $location)){
$error[] = 'Location must be characters only!';
}else if(strlen($location) > 17){
$error[] = 'Your location may not be more than 17 characters!';
}else if(!preg_match('/^([A-Za-z0-9_\-\.])+\@([A-Za-z0-9_\-\.])+\.([A-Za-z]{2,4})$/',$email)){
$error[] = 'Your email is not in the correct format!';
}else if(strlen($password) < 6){
$error[] = 'Your password must be atleast 6 characters long!';
}else{
//no errors. check email and password match
$hashPass = md5($password);
$query_user = mysql_query("SELECT * FROM users WHERE email='$email'") or die(mysql_error());
if(mysql_num_rows($query_user) != 0){
while($row = mysql_fetch_array($query_user)){
$user_id = $row['id'];
$pass = $row['password'];
}
if(strcmp($hashPass,$pass) == 0){
**$insert_ad = mysql_query("INSERT INTO ads(id,user_id,title,price,location,category,sub_category,description,dateCreated)
VALUES('','$user_id','$title','$price','$location','$cat','$sub','$description',CURRENT_DATE())") or die(mysql_error());**
}else{
$error[] = 'Your password didn\'t match the password in our system';
}
}else{
$insert_user = mysql_query("INSERT INTO users(id, email, password, vote_count) VALUES ('','$email','$hashPass', 0)") or die(mysql_error());
$user_id = mysql_insert_id();
**$insert_ad = mysql_query("INSERT INTO ads(id,user_id,title,price,location,category,sub_category,description, dateCreated)
VALUES ('', '$user_id', '$title', '$price', '$location', '$cat', '$sub', '$description', CURRENT_DATE())") or die(mysql_error());**
}
}
if(!empty($error)){
foreach($error as $key => $values){
$error_message = "$values";
}
header('Location: add.php?error_with_add'.urlencode($error_message));
exit();
}
}
?>
答案 0 :(得分:0)
你遇到这个错误的主要原因是因为你没有逃脱你的报价。例如,这是没有转义的情况:
$query = "INSERT INTO foo (something) VALUES ('I'm really interested in coding here.')";
请注意单引号是如何在I后面结束的。
但是当您使用mysql_real_escape_string,MySQLi或PDO转义值时,它会变成这样:
$query = "INSERT INTO foo (something) VALUES ('I\'m really interested in coding here.')";
并且,没有显示错误,因为报价已被转义。