创建基本的php页面不起作用

时间:2014-07-08 07:10:23

标签: php mysql

我试图在PHP(new_page.php)中创建新页面,成功创建的页面将插入到数据库(create_page.php)中,但现在它无法正常工作,不确定我缺少哪些步骤,任何帮助都很感激。以下是我的代码&截图:

Mysql表:

http://i60.tinypic.com/2h3aofr.png

new_page.php

http://i60.tinypic.com/21dmop2.png

<?php $host = "localhost";
$name = "root";
$password = "";
$db = "test_son";
$connection = mysqli_connect($host, $name, $password, $db);

//Check if connect to MySQL works

if (mysqli_connect_errno()){

    die("Connection to MySql error " . mysqli_connect_errno());
}?>


<?php
function find_all_pages(){
    global $connection;
    $query  =  "select * from pages ";
    $query .= "order by position asc";
    $page_set = mysqli_query($connection, $query);
    confirm_query($page_set);
    return $page_set;
}?>

<h2>Create Page</h2>
        <form action="create_page.php" method="post">
            <p>Subject Id:
                <input type="number" name="subject_id" value="" />
            </p>
            <p>Book name:
                <input type="text" name="book_name" value="" />
                <br/><br/>
            </p>
            <p>Position:
                <select name="position">

                    <?php

                    $page_set = find_all_pages();
                    $page_count = mysqli_num_rows($page_set);
                    for ($count=1; $count <= $page_count; $count++){
                    echo "<option value=\"1\">{$count}</option>";}
                    ?>

                </select>
            </p>
            <p>visible
                <input type="radio" name="visible" value="0" /> No
                <input type="radio" name="visible" value="0" /> Yes

            </p>
            <input type="submit" name ="submit" value="Create Page" />
        </form>

create_page.php

<?php 
if (isset($_POST["submit"])){
    //Process the form
    $subject_id = $_POST["subject_id"];
    $book_name = $_POST["book_name"];
    $position = $_POST["position"];
    $visible = $_POST["visible"];

    $book_name = mysqli_real_escape_string($connection, $book_name);
    $subject_id = mysqli_real_escape_string($connection, $subject_id);

    //Perform database query
    $query  = "insert into pages (";
    $query .= " subject_id, 'book_name', position, visible";
    $query .= " ) values ( ";
    $query .= "$subject_id, '$book_name', $position, $visible ";
    $query .= ")";

    $result = mysqli_query($connection, $query);

    if ($result){
            //Success will redirect to manage content page
            $_SESSION["message"] = "page was created. ";
            redirect("manage_content.php");
        } else {
            //Failure will redirect to new subject page
            //$_SESSION["message"] = "subject was not created. Please check following possible errors: <br/> "
                    //. " menu name is not blank <br/> visible is not blank";

            //redirect("new_page.php");
            echo "fail " . mysqli_error($connection) ; 
        }
}

&GT;

当我提交创建页面按钮时,出现错误:

您的SQL语法有错误;检查与您的MySQL服务器版本相对应的手册,以获得正确的语法,以便在&#39; book_name&#39; book_name&#39;,position,visible)值附近使用(121,&#39;如何赢得影响力1234&#39; ,1,0&#39;

2 个答案:

答案 0 :(得分:0)

您创建该查询的方式存在安全漏洞。但要专门回答您的问题,请摆脱'周围的'book_name'

答案 1 :(得分:0)

你不应该在column_names列表中有一个'字符....列名不是字符串文字,它们是列名。如果它们绝对必须被引用(例如,如果你的列名是MySQL保留字,那么你使用反引号(`)而不是引号(')

$query  = "insert into pages (";
$query .= " subject_id, book_name, position, visible";
$query .= " ) values ( ";
$query .= "$subject_id, '$book_name', $position, $visible ";
$query .= ")";

现在请了解准备好的语句和绑定变量