mysql数据库中的查询失败

时间:2017-07-09 13:16:21

标签: php mysql

下午好, 我没有看到我的代码中的任何错误,我一直在获得Mysql错误。

我的代码看起来像这样

<?php
include 'account_numgen.php';
require_once('inc/config.php');

$con = mysqli_connect($host,$user,$pass, $db)or die ('Cannot Connect :'.mysqli_error());

$account_number = mysqli_real_escape_string($con,$_POST['account_number']);
$first_name = mysqli_real_escape_string($con,$_POST['first_name']);
$mi = mysqli_real_escape_string($con,$_POST['mi']);
$last_name = mysqli_real_escape_string($con,$_POST['last_name']);
$address = mysqli_real_escape_string($con,$_POST['address']);
$address2 = mysqli_real_escape_string($con,$_POST['address2']);
$city = mysqli_real_escape_string($con,$_POST['city']);
$tel = mysqli_real_escape_string($con,$_POST['tel']);
$email = mysqli_real_escape_string($con,$_POST['email']);
$nok_1 = mysqli_real_escape_string($con,$_POST['nok_1']);
$nok1_address = mysqli_real_escape_string($con,$_POST['nok1_address']);
$nok1_address2 = mysqli_real_escape_string($con,$_POST['nok1_address2']);
$nok1_city = mysqli_real_escape_string($con,$_POST['nok1_city']);
$nok_2 = mysqli_real_escape_string($con,$_POST['nok_2']);
$nok2_address = mysqli_real_escape_string($con,$_POST['nok2_address']);
$nok2_address2 = mysqli_real_escape_string($con,$_POST['nok2_address2']);
$nok2_city = mysqli_real_escape_string($con,$_POST['nok2_city']);
$id_type = mysqli_real_escape_string($con,$_POST['id_type']);
$id_number = mysqli_real_escape_string($con,$_POST['id_number']);
$open_bal = mysqli_real_escape_string($con,$_POST['open_bal']);
$passport_name = $_FILES['passport']['name'];
$passport_size = $_FILES['passport']['size'];
$passport_type = $_FILES['passport']['type'];
$passporttmp_name = $_FILES['passport']['tmp_name'];

$signature_name = $_FILES['signature']['name'];
$signature_size = $_FILES['signature']['size'];
$signature_type = $_FILES['signature']['type'];
$signaturetmp_name = $_FILES['signature']['tmp_name'];

$sql = "insert into bank_details(account_number,first_name,mi,last_name,address,address2,city,tel,email,nok_1,nok1_address,nok1_address2,nok1_city,nok_2,nok2_address,nok2_address2,nok2_city,id_type,id_number,open_bal,passport_name,passport_size,passport_type,passporttmp_name,signature_name,signature_size,signature_type,signaturetmp_name) values ('".$account_number."','".$first_name."','".$mi."','".$last_name."','".$address."','".$address2."','".$city."','".$tel."','".$email."','".$nok_1."','".$nok1_address."','".$nok1_address2."','".$nok1_city."','".$nok_2."','".$nok2_address."','".$nok2_address2."','".$nok2_city."','".$id_type."','".$id_number."','".$open_bal."','".$passport_name."','".$passport_size."','".$passport_type."','".$passporttmp_name."','".$signature_name."','".$signature_size."','".$signature_type."','".$signaturetmp_name."')";
mysqli_query($con,$sql) or die ('Failed Query: '.mysqli_error($con));

$passport_dir = 'passport/';
$signature_dir = 'signature/';

$filePath1 = $passport_dir . $passport_name;
$filePath2 = $signature_dir . $signature_name;

$result1 = move_uploaded_file($passporttmp_name,$filePath1);
$result2 = move_uploaded_file($signaturetmp_name,$filePath2);

echo ('
<SCRIPT LANGUAGE="JavaScript">
   window.alert("Account Information \n Account Number: '.$account_number.'\n First Name: '.$first_name.'\n Last Name: '.$last_name.'\n Last Name: '.$open_bal.'")
   window.location.href="index.html";
</SCRIPT>
');

?>

现在我收到此错误

Failed Query: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's_Signature.png','78716','image/png','C:\xampp\tmp\phpD784.tmp')' at line 1

为什么会这样?我没有看到我的代码中的任何错误,它是如何停止发布到我的本地主机上的数据库。

修改

当我添加mysqli_real_escape_string($con, $_FILES[....])时,它工作正常,但它不会将图像从应用程序发送到localhost服务器,究竟是什么情况?

3 个答案:

答案 0 :(得分:0)

在所有字段上使用mysqli_real_escape_string,包括您在$_FILES

中获得的内容

显然,名字中有引号...... 而你使用它的方式路径是错误的,因为它应该是\\而不是每个\,否则\t是一个标签。

答案 1 :(得分:0)

$signature_name有一个撇号(')。您需要使用mysqli_real_escape_string转义它。

除了使用预准备语句,我建议转义查询的所有参数。看看https://www.w3schools.com/php/php_mysql_prepared_statements.asp

编辑:由会计师提取

转义所有参数或使用预准备语句。实际上,您应该始终使用预准备语句,除其他外,它们会为您提供参数。

答案 2 :(得分:0)

在“mysqli_real_escape_string”上使用$signature_name - 其中包含撇号。

$signature_name = mysqli_real_escape_string($con,$_FILES['signature']['name']);