我为我的php课程制作了一个食谱网站。我唯一无法弄清楚的是如何让用户添加他们自己的食谱。我创建了一个表单,但是当我点击提交按钮时,我收到此错误“您的SQL语法中有错误;请查看与您的MySQL服务器版本对应的手册,以便在''服务'附近使用正确的语法,'image' )VALUES(NULL,'Oatmeal Pancakes II','我为我的孩子在第1行做这个' 我将不胜感激任何帮助!谢谢!
<?php
// make a note of the current working directory relative to root.
$directory_self = str_replace(basename($_SERVER['PHP_SELF']), '', $_SERVER['PHP_SELF']);
// make a note of the location of the upload handler
$uploadHandler = 'http://' . $_SERVER['HTTP_HOST'] . $directory_self . 'upload.processor.php';
// set a max file size for the html upload form
$max_file_size = 30000; // size in bytes
?>
<?php
//include functions
require_once('includes/functions.php'); ?>
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Add a Recipe</title>
<link href="Images/style.css" rel="stylesheet" type="text/css">
</head>
<?php
$name = isset($_POST['name']) ? $_POST['name'] : '';
$description = isset($_POST['description']) ? $_POST['description'] : '';
$ingredients = isset($_POST['ingredients']) ? $_POST['ingredients'] : '';
$preparation = isset($_POST['preparation']) ? $_POST['preparation'] : '';
$category_id = isset($_POST['category_id']) ? $_POST['category_id'] : '';
$servings = isset($_POST['servings']) ? $_POST['servings'] : '';
$image = isset($_POST['image']) ? $_POST['image'] : '';
//connect to database
require_once('includes/mysqli_connect_recipe.php');
//if submit button clicked
if(isset($_POST['submit'])){
$valid = true;
// require name, description, ingredients and preparation with at least 2 characters
if(strlen($name) < 2){
$valid = false;
echo "Please provide a valid recipe name.<br>";
}
if(strlen($description) < 2){
$valid = false;
echo "Please provide a valid description.<br>";
}
if(strlen($ingredients) < 10){
$valid = false;
echo "Please provide valid ingredients.<br>";
}
if(strlen($preparation) < 10){
$valid = false;
echo "Please provide valid instructions.<br>";
}
//sanitize servings
$servings = intval($servings); //force $servings to be a number (0 if a string is entered)
// sanitize against SQL injections (do this for every field that's coming from the form)
$name = mysqli_real_escape_string($dbc, $name);
$description = mysqli_real_escape_string($dbc, $description);
$ingredients = mysqli_real_escape_string($dbc, $ingredients);
$preparation = mysqli_real_escape_string($dbc, $preparation);
// sanitize against XSS attacks - DO THIS TO ALL FIELDS
$description = strip_tags($description);
$name = strip_tags($name);
$ingredients = strip_tags($ingredients);
$preparation = htmlspecialchars($preparation);
if($valid){
// insert SQL
$insert = "INSERT INTO `sburg5`.`recipes` (`recipe_id`, `name`, `description`, `ingredients`, `preparation`, `category_id`, 'servings', 'image')VALUES (NULL, '$name', '$description', '$ingredients', '$category_id', '$servings', '$image');";
// execute insert query
$result = mysqli_query($dbc, $insert) or die(mysqli_error($dbc));
echo "Thank you for submitting a recipe!";
// output recipe
while($row = mysqli_fetch_array($result)){
echo "<h3>{$row['name']}</h3>
<p><img src=\"data:image/jpeg;base64,' . base64_encode{$row['image']} . '\"></p>
<p>" . $row['description'] . "</p>
<p>" . nl2br($row['ingredients']) . "</p>
<a href=\"addarecipe_edit.php?recipe_id={$row['recipe_id']}\">[edit]</a>
<a href=\"addarecipe_delete.php?recipe_id={$row['recipe_id']}\">[delete]</a>
<hr>";
}
}
}
?>
<form id="Upload" action="<?php echo $uploadHandler ?>" enctype="multipart/form-data" method="post">
<p>
<label for="name">Recipe Name:</label>
<input type="text" name="name" id="name" >
</p>
<p>
<label for="servings">Servings:</label>
<input type="text" cols="50" name="servings" id="servings">
</p>
<p>
<label for="description">Description:</label>
<textarea rows="4" cols="50" name="description" id="description"></textarea>
</p>
<p>
<label>Type of Recipe:
<input type="radio" name="category_id" value="1" id="category_0" >Main Entree</label>
<label>
<input type="radio" name="category_id" value="2" id="category_1">Appetizer</label>
<label>
<input type="radio" name="category_id" value="3" id="category_2" >Side Dish</label>
<label>
<input type="radio" name="category_id" value="4" id="category_3" >Dessert</label>
</p>
<p>
<label for="ingredients">Ingredients:</label>
<textarea rows="10" cols="50" name="ingredients" id="ingredients" placeholder="Separate each ingredient with a return."></textarea>
</p>
<p>
<label for="preparation">Preparation:</label>
<textarea rows="10" cols="50" name="preparation" id="preparation"></textarea>
</p>
<p>
<input name="MAX_FILE_SIZE" value="<?php echo $max_file_size ?>" type="hidden">
<label for="file">File to upload:</label>
<input id="file" type="file" name="file">
<p class="submit">
<input type="submit" name="submit" value="Upload me!">
</form>
</p>
<?php
// close connection to database
mysqli_close($dbc); ?>
答案 0 :(得分:1)
您的查询无效的原因是您使用单引号包装列名称。它们是标识符而不是字符串文字,所以它们不应该用单引号换行。
INSERT INTO recipes (`recipe_id`, `name`, `description`,
`ingredients`, `preparation`,
`category_id`, 'servings', 'image')
^ the problem is here
^ it should be backtick
如果使用的列名和/或表名是保留关键字,则可以使用反引号转义它们,而不是单引号。
在这种情况下,不需要反引号,因为它们都不是保留关键字。
其他链接:
答案 1 :(得分:0)
很明显你使用'服务','图片'应该是servings和images ...但我认为INSERT INTO table_name
VALUES(value1,value2,value3,...)是您应该使用的语法。例如:
$ sql =“INSERT INTO tutorials_tbl”。
“(tutorial_title,tutorial_author,submission_date)”。
“价值观”。
“( '$ tutorial_title', '$ tutorial_author', '$ submission_date')”;
https://dev.mysql.com/doc/refman/5.5/en/insert.html