我遇到了一些我发现的PHP代码问题。该页面连接到MySQL数据库,列出记录并提供删除记录的按钮以及输入新记录的表单。列表和删除工作正常,但当我去添加新记录时,它会出现以下错误
“INSERT失败:INSERT INTO产品VALUES('3',测试名称','测试nombre','66','0','77',>'0','测试描述','测试描述esp','测试笔记') 您的SQL语法有错误;查看与您的MySQL服务器相关的手册>版本,以便在'name','test nombre','66','0','77','0','Test> descript'附近使用正确的语法,'测试描述esp''在第1行“
我检查了错别字,但无法发现任何事情 - 希望有人能够发现我做错了什么并指出我正确的方向。谢谢。这是PHP代码:
<?php
$pageTitle = "MIS Dashboard";
include ('includes/header.php'); ?>
<div class="wrapper">
<?php // productsadmin.php
require_once 'includes/login.php';
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());
mysql_select_db($db_database, $db_server)
or die("Unable to select database: " . mysql_error());
if (isset($_POST['delete']) && isset($_POST['product_id']))
{
$product_id = get_post('product_id');
$query = "DELETE FROM products WHERE product_id='$product_id'";
if (!mysql_query($query, $db_server))
echo "DELETE failed: $query<br />" .
mysql_error() . "<br /><br />";
}
if (isset($_POST['product_id']) &&
isset($_POST['name_eng']) &&
isset($_POST['name_esp']) &&
isset($_POST['netprice_bob']) &&
isset($_POST['netprice_usd']) &&
isset($_POST['sellingprice_bob']) &&
isset($_POST['sellingprice_usd']) &&
isset($_POST['description_eng']) &&
isset($_POST['description_esp']) &&
isset($_POST['notes']))
{
$product_id = get_post('product_id');
$name_eng = get_post('name_eng');
$name_esp = get_post('name_esp');
$netprice_bob = get_post('netprice_bob');
$netprice_usd = get_post('netprice_usd');
$sellingprice_bob = get_post('sellingprice_bob');
$sellingprice_usd = get_post('sellingprice_usd');
$description_eng = get_post('description_eng');
$description_esp = get_post('description_esp');
$notes = get_post('notes');
$query = "INSERT INTO products VALUES" .
"('$product_id', $name_eng', '$name_esp', '$netprice_bob', '$netprice_usd', '$sellingprice_bob', '$sellingprice_usd', '$description_eng', '$description_esp', '$notes')";
if (!mysql_query($query, $db_server))
echo "INSERT failed: $query<br />" .
mysql_error() . "<br /><br />";
}
echo <<<_END
<form action="productsadmin.php" method="post"><pre>
Product ID: <input type="text" name="product_id" />
Name: <input type="text" name="name_eng" />
Nombre: <input type="text" name="name_esp" />
Net Price BOB: <input type="text" name="netprice_bob" />
Net Price USD: <input type="text" name="netprice_usd" />
Selling Price BOB: <input type="text" name="sellingprice_bob" />
Selling Price USD: <input type="text" name="sellingprice_usd" />
Description : <input type="text" name="description_eng" />
Descripcion : <input type="text" name="description_esp" />
Notes : <input type="text" name="notes" />
<input type="submit" value="ADD RECORD" />
</pre></form>
_END;
$query = "SELECT * FROM products";
$result = mysql_query($query);
if (!$result) die ("Database access failed: " . mysql_error());
$rows = mysql_num_rows($result);
for ($j = 0 ; $j < $rows ; ++$j)
{
$row = mysql_fetch_row($result);
echo <<<_END
<pre>
Product ID: $row[0]
Name: $row[1]
Nombre: $row[2]
Net Price BOB: $row[3]
Net Price USD: $row[4]
Selling Price BOB: $row[5]
Selling Price USD: $row[6]
Description: $row[7]
Descripcion: $row[8]
Notes: $row[9]
</pre>
<form action="productsadmin.php" method="post">
<input type="hidden" name="delete" value="yes" />
<input type="hidden" name="product_id" value="$row[0]" />
<input type="submit" value="DELETE RECORD" /></form>
_END;
}
mysql_close($db_server);
function get_post($var)
{
return mysql_real_escape_string($_POST[$var]);
}
?>
</div>
<?php include ('includes/footer.php'); ?>
答案 0 :(得分:3)
你缺少第二个值的单引号
INSERT INTO products VALUES('3', 'test name', 'test nombre', ...)
-- ^ here: add single quote
在将值插入数据库之前,还需要对值进行清理。我建议您使用PDO或MYSQLi扩展名来阻止SQL Injection。
答案 1 :(得分:0)
INSERT failed: INSERT INTO products VALUES('3', test name', 'test nombre', '66', '0', '77', >'0', 'Test descript', 'Test descript esp', 'test notes').
有两个问题。 第二个值没有开始单引号,而七个值是&gt;'0'