MySQL查询返回错误

时间:2014-06-07 20:40:50

标签: php mysql database

这会返回MySQL错误:

<?php

$name = $_POST['inputName2'];
$email = $_POST['inputEmail2'];
$instruments = $_POST['instruments'];
$city = $_POST['inputCity'];
$country = $_POST['inputCountry'];
$distance = $_POST['distance'];

// ^^ These all echo properly ^^

// CONNECT TO DB
$dbhost = "xxx";
$dbname = "xxx";
$dbuser = "xxx";
$dbpass = "xxx";

$con = mysqli_connect("$dbhost", "$dbuser", "$dbpass", "$dbname");

if (mysqli_connect_errno())
{
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

$query = "INSERT INTO depfinder (name, email, instrument1, instrument2, instrument3, instrument4, instrument5, city, country, max_distance) VALUES ($name, $email, $instruments[0], $instruments[1], $instruments[2], $instruments[3], $instruments[4], $city, $country, $max_distance)";
$result = mysqli_query($con, $query) or die(mysqli_error($con)); // script fails here

if (!$result)
{
    echo "There was a problem with the signup process. Please try again later.";    
}

else
{
    echo "Success";
}
}
?>

N.B。我不确定它是否相关,但用户可能不会选择五种乐器,因此某些$instrument[]数组值可能为空。

奖金问题:我的脚本足够安全还是我可以做的更多?

2 个答案:

答案 0 :(得分:1)

您需要在查询中的字符串值周围引用:

$query = "INSERT INTO depfinder 
            (name, email, instrument1, instrument2, instrument3, instrument4, instrument5, city, country, max_distance) 
         VALUES ('$name', '$email', '$instruments[0]', '$instruments[1]', '$instruments[2]', 
                 '$instruments[3]', '$instruments[4]', 
                 '$city', '$country', $distance)";

要回答您的红利问题,您的脚本根本不安全,它易受SQL注入攻击,并且如果任何值包含撇号,也会出现语法错误。您应该使用带参数而不是字符串替换的准备查询。或者,如果使用替换,则应使用mysqli_real_escape_string来防止注入和语法错误。

答案 1 :(得分:1)

看起来查询中变量周围缺少单引号似乎是最初的问题。所以这可以被认为是一个快速修复。

但是我继续重构你的代码以简化它并提供一些基本的验证。

添加注意事项包括使用$post_array滚动$_POST值并使用isset&amp;进行基本值检查。 !empty。只是旁注,但在原始脚本中 - 在此清理中 - 您正在设置$distance字符串,但实际上您并未在此代码中使用它。它会在以后出现吗?但是$max_distance是什么?您可以将$distance$max_distance混为一谈吗?公平的错字,但我注意到了。

另外,摆脱单引号的另一个选择是使用mysqli_stmt_bind_param我在此处设置为mysqli_free_result&amp; mysqli_close整齐地结束MySQL进程。

// Set a '$_POST' array and roll through each value.
$post_array = array('inputName2', 'inputEmail2', 'instruments', 'inputCity', 'inputCountry', 'distance');
foreach ($post_array as $post_key => $post_value) {
  $$post_value = isset($_POST[$post_value]) && !empty($_POST[$post_value]) ? $_POST[$post_value] : null;
}

// CONNECT TO DB
$dbhost = "xxx";
$dbname = "xxx";
$dbuser = "xxx";
$dbpass = "xxx";

// Set the connection or die returning an error.
$con = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname) or die(mysqli_connect_error());

// Set the query.
$query = "INSERT INTO depfinder (name, email, instrument1, instrument2, instrument3, instrument4, instrument5, city, country, max_distance)"
        . " VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"
        ;

// Bind the params.
mysqli_stmt_bind_param($query, 'ssssssssss', $inputName2, $inputEmail2, $instruments[0], $instruments[1], $instruments[2], $instruments[3], $instruments[4], $city, $country, $max_distance);

// Run the query.
$result = mysqli_query($con, $query) or die(mysqli_error());

// Check if the result is returned & echo a message based on that.
if (!$result) {
    echo "There was a problem with the signup process. Please try again later.";    
}
else {
    echo "Success";
}

// Free the result set.
mysqli_free_result($result);

// Close the connection.
mysqli_close($con);