这是所有代码。错误就是这个。
查询fail您的SQL语法中有错误;检查与您的MySQL服务器版本相对应的手册,以便在#39;标题'''',现在(),' macbook-retina附近使用正确的语法-wallpapers-hd.jpg''内容''标签'' 4''状态''在第1行
<?php
if(isset($_POST['create_post'])){
$post_title = $_POST['title'];
$post_author = $_POST['authror'];
$post_category_id= $_POST['post_category_id'];
$post_status = $_POST['post_status'];
$post_image = $_FILES['image']['name'];
$post_image_temp = $_FILES['image']['tmp_name'];
$post_tags= $_POST['post_tags'];
$post_content = $_POST['post_content'];
$post_date = date('d-m-y');
$post_comment_count = 4;
move_uploaded_file($post_image_temp, "../images/$post_image");
$query = "INSERT INTO posts(post_category_id, post_title, post_author, post_date, post_image, post_content, post_tags, post_comment_count, post_status)";
$query .= "VALUES({$post_category_id},'{$post_title}','{$post_author}',now(),'{$post_image}','{$post_content}','{$post_tags}','{$post_comment_count}','{$post_status}') ";
$create_post_query = mysqli_query($connection, $query);
if(!$create_post_query){
die ("query fail" . mysqli_error($connection));
}
}
?>
<form action = "" method="post" enctype="multipart/form-data">
<div class="form-group">
<label for="title"> Title</label>
<input type="text" class="form-control" name="title">
</div>
<div class="form-group">
<label for="Category"> Category</label>
<input type="text" class="form-control" name="category">
</div>
<div class="form-group">
<label for="Author"> Author</label>
<input type="text" class="form-control" name="author">
</div>
<div class="form-group">
<label for="post-status"> Status</label>
<input type="text" class="form-control" name="post_status">
</div>
<div class="form-group">
<label for="post_image"> Image</label>
<input type="file" name="image">
</div>
<div class="form-group">
<label for="post_tags"> Tags</label>
<input type="text" class="form-control" name="post_tags">
</div>
<div class="form-group">
<label for="post_content"> Content</label>
<textarea type="text" class="form-control" name="post_content" id="" cols="30" rows="10"></textarea>
</div>
<div class="form-group">
<input class="btn btn-primary" type="submit" name="create_post" value="publish post">
</div>
</form>
因此,当您输入表单中的字段并将帖子提交到数据库时,我正在运行查询。由于某种原因,它无法正常工作。如果您有任何建议,那就太棒了。
if(isset($_POST['create_post'])){
$post_title = $_POST['title'];
$post_author = $_POST['authror'];
$post_category_id= $_POST['post_category_id'];
$post_status = $_POST['post_status'];
$post_image = $_FILES['image']['name'];
$post_image_temp = $_FILES['image']['tmp_name'];
$post_tags= $_POST['post_tags'];
$post_content = $_POST['post_content'];
$post_date = date('d-m-y');
$post_comment_count = 4;
move_uploaded_file($post_image_temp, "../images/$post_image");
$query = "INSERT INTO posts(post_category_id, post_title, post_author, post_date, post_image, post_content, post_tags, post_comment_count, post_status)";
$query .= "VALUES({$post_category_id},'{$post_title}','{$post_author}',now(),'{$post_image}','{$post_content}','{$post_tags}','{$post_comment_count}','{$post_status}') ";
$create_post_query = mysqli_query($connection, $query);
}
答案 0 :(得分:2)
您的问题是,您尝试插入的值(如果它们包含撇号$post_content,则最有可能$post_author或')包含混淆SQL解析器的引号,因为它无法确定每个值结束的地方。
您需要使用参数化查询和预准备语句。它不仅更安全,而且使得SQL解析器无法对确切的值进行混淆。
/* Put ? where the values would be. One for each value, and don't use quotes */
$query = "INSERT INTO posts ... VALUES (?, ?, ?...)";
$stmt = mysqli_prepare($connection, $query) or die (mysqli_error($connection));
/*bind the values to the ? parameters (replace 's' with 'i' for integer values)*/
/*each 's' or 'i' indicates the type of value to replace the matching ? */
$stmt->bind_param('iss..', $post_category_id, $post_title, $post_author...);
/*execute the query and abort on error*/
$stmt->execute() or die ($stmt->error);
//Success!
答案 1 :(得分:0)
是的,我们需要帮助的几件事情,请打印您的查询给自己并在此处发布,也许所有都添加了您的dB结构的导出。我看到你有一个约会,但格式不是sql标准。
转移您的值很可能是问题所在,因此使用实际值的示例将使我们能够测试它。
另外我看到$ query结尾和$ query之间没有空格。= start,也是我自己的版本无法处理的东西