PHP脚本问题

时间:2019-03-15 18:21:31

标签: php mysql

我有以下代码:

<?php

include "../../inc/dbinfo.inc";
header('Access-Control-Allow-Origin: *');

$finance = '0';
$interNews = '0';
$politicalNews = '0';
$tech = '0';
$philosophy = '0';
$history = '0';
$gaming = '0';
$joke = '0';
$music = '0';
$sports = '0';


$connection = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_DATABASE);
$question = mysqli_real_escape_string($connection, $_POST["questionPOST"]);
$finance = mysqli_real_escape_string($connection, $_POST["Finance"]);
$interNews = mysqli_real_escape_string($connection, $_POST["InternationalNews"]);
$politicalNews = mysqli_real_escape_string($connection, $_POST["PoliticalNews"]);
$tech = mysqli_real_escape_string($connection, $_POST["Technology"]);
$philosophy = mysqli_real_escape_string($connection, $_POST["Philosophy"]);
$history = mysqli_real_escape_string($connection, $_POST["History"]);
$gaming = mysqli_real_escape_string($connection, $_POST["Gaming"]);
$joke = mysqli_real_escape_string($connection, $_POST["Joke"]);
$music = mysqli_real_escape_string($connection, $_POST["Music"]);
$sports = mysqli_real_escape_string($connection, $_POST["Sports"]);
$list = mysqli_real_escape_string($connection, $_POST["listOfCategories"]);

if ($connection) {
    $result = mysqli_query($connection, "INSERT INTO questions ".
              "(question, wasAsked, Finance,International News, Political News,".
              "Technology, Philosophy, History, Gaming, Joke, Music, Sports, categories) VALUES".
              "('$question', 0, '$finance', '$interNews', '$politicalNews', '$tech','$philosophy',".
              "$history', '$gaming', '$joke', '$music', '$sports', '$list')") or die(mysqli_error($connection));
    echo "Success";
    exit;
} else {
    echo "Failed!";
}
?>

我不断收到错误消息:

  

您的SQL语法有错误;在第1行的“新闻,政治新闻,技术,哲学,历史,游戏,笑话,音乐,体育”附近查看与MySQL服务器版本相对应的手册以使用正确的语法。

哪一个非常模糊。我正在使用PHP Storm纠正PHP脚本,然后将其放入Nano。我似乎找不到错误。我不是用这种方式连接字符串或其他方式。任何帮助,将不胜感激。

2 个答案:

答案 0 :(得分:2)

SQL列不能包含空格,除非它们用引号或反引号引起来。您需要更改查询,使其看起来像这样:

$result = mysqli_query($connection, "INSERT INTO questions ".
              "(question, wasAsked, Finance,`International News`, `Political News`,".
              "Technology, Philosophy, History, Gaming, Joke, Music, Sports, categories) VALUES".
              "('$question', 0, '$finance', '$interNews', '$politicalNews', '$tech','$philosophy',".
              "$history', '$gaming', '$joke', '$music', '$sports', '$list')") or die(mysqli_error($connection));

看看International NewsPolitical News现在如何用反引号包起来。

更新: 如注释中所建议,将反引号添加到所有字段以保持一致性(无论如何,默认情况下,一些数据库软件平台会这样做)。还要确保准备这些语句。始终避免注射。如评论中所述,mysqli_real_escape_string()容易受到攻击:

$sql = "INSERT INTO questions ".
              "(`question`, `wasAsked`, `Finance`,`International News`, `Political News`,".
              "`Technology`, `Philosophy`, `History`, `Gaming`, `Joke`, `Music`, `Sports`, `categories`) VALUES".
              "(?, 0, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";

现在,您可以通过mysqli_prepare()运行参数。此处更多信息:http://php.net/manual/en/mysqli.prepare.php

答案 1 :(得分:-1)

Mysql列不能包含空格(通常是首选方式;可以使用snakecase或camelcase),或者它们必须由反引号包围。如果提供的空间没有反引号,如《政治新闻》中所述,mysql会认为它是语法错误。 要了解更多信息,这是另一个答案。 https://stackoverflow.com/a/14190833

相关问题
最新问题