我的代码收到以下错误:
绑定参数失败:(1064)您的SQL语法出错;检查与您的MySQL服务器版本对应的手册,以便在'附近使用正确的语法? (姓名,地址,位置,电话,电子邮件,时间,网站,Photo1,评级,Date_Pu'在第1行
有人可以帮帮我吗?这是我的代码:
include("mysqli.php");
$search_tbl = mysql_query("SELECT * from listing_title where listing_title_ID = '$main_id'");
$tbl_name = $search_tbl['tbl_name'];
$stmt = $db->stmt_init();
global $tbl_name;
if($stmt->prepare("INSERT INTO ? (Name, Address, Location, Phone, Email, Time, Website, Photo1, Rating, Date_Published, categories_ID) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"))
{
$stmt->bind_param('sssssssssisi',$tbl_name,$title,$address,$location,$phone,$email,$time,$website,$name,$rating,$date,$sub_cat);
$title = $_POST['name'];
$email = $_POST['email'];
$address = $_POST['address'];
$location = $_POST['location'];
$phone = $_POST['phone'];
$time = $_POST['time'];
$rating = $_POST['rating'];
$main = $_POST['main'];
$website = $_POST['website'];
$date = date('Y-m-d');
$stmt->execute();
$stmt->close();
}
else
{
echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
}
}
else
{
echo 'a';
}
答案 0 :(得分:0)
你的剧本看起来不完整,但是尽我所能,我能用你所拥有的就是你所需要的。首先,抛弃你正在使用的任何mysqli包装垃圾。它教你不好的原则。
第一个文件,您的数据库信息。称之为config.php或者你想要的任何东西。使用需要一次而不是包含。另外,根据要求放弃括号,根本不需要这些,并使用单引号而不是双引号。单引号被视为字符串而双引号php将搜索内部变量,从而从cpu / cache中消耗更多资源。
<强>的config.php
$host = 'localhost';//your db host
$user = 'someuser'; //your db user
$pass = 'somepass'; //your db password
$name = 'somedb'; //the name of your db
$mysqli = new mysqli($host,$user,$pass,$name);
if(mysqli_connect_errno()) {
echo "Connection Failed: " . mysqli_connect_errno();
exit;
}else{
global $mysqli;//make your db connection available globally
}
现在为您的脚本
<强>的script.php
require_once 'config.php';
//keep your post variables up here. you still need to santize and trim these
$title = $_POST['name'];
$email = $_POST['email'];
$address = $_POST['address'];
$location = $_POST['location'];
$phone = $_POST['phone'];
$time = $_POST['time'];
$rating = $_POST['rating'];
$main = $_POST['main'];
$website = $_POST['website'];
$date = date('Y-m-d');
global $mysqli;//fetch your db connection
$stmt = $mysqli->prepare("SELECT tbl_name from listing_title where listing_title_ID = ? ");
$stmt->bind_param('i',$main_id);
if($stmt->execute()) {
$stmt->bind_result($tbl_name);
$stmt->close();
$stmt = $mysqli->prepare("INSERT INTO ".$tbl_name."
(Name, Address, Location, Phone, Email, Time, Website, Photo1, Rating, Date_Published, categories_ID)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);");
$stmt->bind_param('ssssssssisi',$title,$address,$location,$phone,$email,$time,$website,$name,$rating,$date,$sub_cat);
if($stmt->execute()) {
$stmt->close();
}else{
$stmt->close();
//catch the error
}
}else{
$stmt->close();
//throw an exception or handle the error here.
}
请注意,这仍然需要工作。你需要清理和修剪你的变量。这是一个示例功能。要包含funcs,只需在config.php文件中添加一个require_once,它就会包含在你包含config.php的任何文件中。
这样的例子:
require_once 'funcs.php';
示例清理功能:
<强> funcs.php
function security($value) {
if(is_array($value)) {
$value = array_map('security', $value);
} else {
if(!get_magic_quotes_gpc()) {
$value = htmlspecialchars($value, ENT_QUOTES, 'UTF-8');
} else {
$value = htmlspecialchars(stripslashes($value), ENT_QUOTES, 'UTF-8');
}
$value = str_replace("\\", "\\\\", $value);
}
return $value;
}
调用函数
$title = security(trim($_POST['name']));
我把消毒剂留给你。它是一个有价值的练习,你有一个清理任何东西的例子,无论是整数,数组,对象还是字符串。
你应该只在字符串上使用修剪。如果要清理整个数组,只需使用安全功能。
祝你好运。