SQL语法在值中提交表单字段时出错

时间:2013-05-29 18:33:20

标签: php mysql syntax

我遇到了SQL问题。我已经尝试了所有找到的修复工具,没有任何效果。

这是我在提交表单时遇到的错误:

**Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'a')' at line 2**

它引用了文本field name="entity_name"

发送的字段的值

要测试我对其他字段的修正,我输入了文本,并在每个文本字段中随机放置了撇号。

除第一个文本字段外,一切正常。而错误之前会显示所有文本字段和区域的语法问题。

我已评论$member = str_replace("'", "'", $member);

并且还评论了$member = mysql_real_escape_string($member);

他们都没有解决问题,但$member = addslashes($member);

也没有

有人可以帮我弄清楚为什么还有SQL语法问题,实际上应该没有?我能得到的任何帮助都将不胜感激。

这是我的代码:

<?php
session_start(); 
$con = mysql_connect("localhost","*******","*********"); 
if (!$con) 
  { 
  die('Could not connect: ' . mysql_error()); 
  } 

mysql_select_db("***********", $con);

$memberlinksafe = $_POST['entity_name'];

function strip_punctuation($memberlinksafe) {
    $memberlinksafe = strtolower($memberlinksafe);
    $memberlinksafe = preg_replace("/[:punct:]+/", "", $memberlinksafe);
    $memberlinksafe = str_replace(" +", "", $memberlinksafe);
    return $memberlinksafe;
} 

//builds data from logo image to store into database
$logofile = $_FILES['cover_photo']['tmp_name'];

$logo = addslashes(file_get_contents($_FILES['cover_photo']['tmp_name']));
$logo_name = addslashes($_FILES['cover_photo']['tmp_name']);

//build data from cover photo image to store into database
$cover_photo_file = $_FILES['cover_photo']['tmp_name'];

$cover_photo = addslashes(file_get_contents($_FILES['cover_photo']['tmp_name']));
$cover_photo_name = addslashes($_FILES['cover_photo']['tmp_name']);

//build data from search photo image to store into database
$search_image_file = $_FILES['cover_photo']['tmp_name'];

$search_image = addslashes(file_get_contents($_FILES['cover_photo']['tmp_name']));
$search_image_name = addslashes($_FILES['cover_photo']['tmp_name']);

$member = $_POST['member'];
$member = addslashes($member);
//$member = str_replace("'", "&#039;", $member);
//$member = mysql_real_escape_string($member);

//$entity_name = $_POST[entity_name];
//$entity_name = addslashes($entity_name);
//$entity_name = str_replace("'", "&#039;", $entity_name);

$keywords = $_POST['keywords'];
$keywords = addslashes($keywords);

$street_address = $_POST['street_address'];
$street_address = addslashes($street_address);

$city = $_POST['city'];
$city = addslashes($city);

$st = $_POST['st'];
$st = addslashes($st);

$mailcode = $_POST['mailcode'];
$mailcode = addslashes($mailcode);

$website = $_POST['website'];
$website = addslashes($website);

$fb_url = $_POST['fb_url'];
$fb_url = addslashes($fb_url);

$hours = $_POST['hours'];
$hours = addslashes($hours);

$ph_number = $_POST['ph_number'];
$ph_number = addslashes($ph_number);

$body_header = $_POST['body_header'];
$body_header = addslashes($body_header);
//$body_header = str_replace("'", "&#039;", $body_header);

$body_text = $_POST['body_text'];
$body_text = str_replace("'", "&#039;", $body_text);

$search_blurb = $_POST['search_blurb'];
$search_blurb = str_replace("'", "&#039;", $search_blurb);

$sql="INSERT INTO *********** (entity_name, category, keywords, street_address, community_id, city, st, country, mailcode, website, fb_url, email, hours, ph_number, body_header, body_text, search_blurb, dd, ad, ed, gd, md, vd, pd, logo, logofilename, cover_photo, coverphotofilename, search_image, searchimagefilename, memberlinksafe) 
VALUES ('$member','$_POST[category]','$keywords','$street_address','$_POST[community_id]','$city','$st','$_POST[country]','$mailcode','$website','$fb_url','$_POST[email]','$hours','$ph_number','$body_header','$body_text','$search_blurb','$_POST[dd]','$_POST[ad]','$_POST[ed]','$_POST[gd]','$_POST[md]','$_POST[vd]','$_POST[pd]','$logo','$logo_name','$cover_photo','$cover_photo_name','$search_image','$search_image_name','$memberlinksafe')"; 

if (!mysql_query($sql,$con)) 
  { 
  die('Error: ' . mysql_error()); 
  } 
echo "<h1>Thank you for submitting your details!</h1><br><p><a href='business-attraction.php'>Add another</a> business/attraction.</p>"; 

mysql_close($con); 

?>

1 个答案:

答案 0 :(得分:0)

首先我可以在你的查询中看到那些错误,你需要POST内的引号,你还需要逃避它们。

像那样

 $dd = mysql_real_escape_string($_POST["dd"]) ;

更改此

'$_POST[dd]','$_POST[ad]','$_POST[ed]','$_POST[gd]','$_POST[md]','$_POST[vd]','$_POST[pd]'


'$dd','$_POST["ad"]','$_POST["ed"]','$_POST["gd"]','$_POST["md"]','$_POST["vd"]','$_POST["pd"]',
 ^^---//continue with other variables escaped like this one
相关问题
最新问题