我正在使用一个带有脚本的小型mce,用于将某些内容上传到类似系统的博客。每当我通过微小的mce添加链接时,我都会收到此错误。 $ content中mysql的字段类型是带有链接的字段,如果有帮助就是longblob。
首先是链接错误,然后是我的代码
您的SQL语法有错误; 检查对应的手册 您的MySQL服务器版本 正确的语法在'google test'附近使用 HREF = “http://www.google.ca” target =“_ blank”> google est laborum'at 第4行
/* GRAB FORM DATA */
$title = $_POST['title'];
$date = $_POST['date'];
$content = $_POST['content'];
$imageName1 = $_FILES["file"]["name"];
$date = date("Y-m-d");
$sql = "INSERT INTO blog (title,date,content,image)VALUES(
\"$title\",
\"$date\",
\"$content\",
\"$imageName1\"
)";
$results = mysql_query($sql)or die(mysql_error());
更新:当我正在使用WHERE语句执行UPDATE时,我将如何使用sprintf执行相同的mysql转义当前我收到错误
Warning: sprintf() [function.sprintf]: Too few arguments in /home/akitson1/anderskitson.ca/admin/blogEdit.php on line 88
Query was empty
$sql = sprintf("UPDATE blog SET WHERE id=$thisID (title,date,content,image)VALUES('%s','%s','%s','%s')",
mysql_real_escape_string($title),
mysql_real_escape_string($date),
mysql_real_escape_string($content));
答案 0 :(得分:3)
转义您的数据。 mysql_real_escape_string()最好,addslashes()至少......
mysql_real_escape_string和sprintf:
$title = $_POST['title'];
$date = $_POST['date']; // why do you assign this here, though? it's re-assigned again below?
$content = $_POST['content'];
$imageName1 = $_FILES["file"]["name"];
$date = date("Y-m-d");
$sql = sprintf("INSERT INTO blog (title,date,content,image)VALUES('%s','%s','%s','%s')",
mysql_real_escape_string($title),
mysql_real_escape_string($date),
mysql_real_escape_string($content),
mysql_real_escape_string($imageName1) );
$results = mysql_query($sql)or die(mysql_error());
这至少有两个好处:
sprintf很好,因为它可以保持你的语句清洁,让你做其他很酷的事情。 Check it out.
最后一件事是,当你得到它时,你需要 un 转义你的数据。所以
$result = mysql_query("SELECT * FROM `blog`");
$row = mysql_fetch_assoc($result);
echo stripslashes($row['content']);
重新:您的更新:
您的SQL因更新而格式错误。至于sprintf,它将用提供的变量替换所有%s(或数字的%d ......无论你使用什么)(如果你给它4%s,你需要给它4个参数)。
如果您的更新,您有5. 4%s(字符串)和1%d(数字)
$sql = sprintf("UPDATE `blog` SET `title` = '%s', `date` = '%s', `content` = '%s', `image` = '%s' WHERE `id` = '%d'",
mysql_real_escape_string($title), // first %s gets replaced
mysql_real_escape_string($date), // second %s gets replaced
mysql_real_escape_string($content), // third %s gets replaced
mysql_real_escape_string($imageName1), // fourth %s gets replaced
$thisId ); //forced as digit (the %d), no need for escaping
答案 1 :(得分:0)
尝试使用mysql_real_escape_string
$title = mysql_real_escape_string($_POST['title']);
$date = mysql_real_escape_string($_POST['date']);
$content = mysql_real_escape_string($_POST['content']);
$imageName1 = $_FILES["file"]["name"];
$date = date("Y-m-d");