我是CS新生,目前正在独自学习PHP / MySQL。我可以通过PHP将联系表单发送到mySQL数据库。现在我正在使用mysqli准备好的语句来保护我的代码免遭mySQL注入,但遇到了麻烦。我创建了一个名为contact_check.php的新文件。
我得到的错误是:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '?, ?, ?, ?, ?)' at line 2. Do you know what is the error?
contactform.php
<?php
require("../config/db.php");
require("contact_check.php");
$link = mysqli_connect("localhost","root","","benoit");
if(isset($_POST["submit"])){
$name = $_POST["name"];
$company = $_POST["company"];
$emailFrom = $_POST["email"];
$phone = $_POST["phone"];
$message = htmlspecialchars($_POST["message"]);
$mailTo = "pamousset01@gmail.com";
$headers = "From:".$emailFrom;
$txt = "You have received an email from ".$name.".\n\n\n".$message;
mysqli_query($link,"INSERT INTO contact (`name`, `email`, `company`, `phone`, `message`)
VALUES (?, ?, ?, ?, ?)") or die(mysqli_error($link));
$stmt = mysqli_stmt_init($conn);
if(!mysqli_stmt_prepare($stmt, $sql)){
echo "SQL error";
} else{
mysqli_stmt_bind_param($stmt, "sssss", $name, $company, $emailFrom, $phone, $message);
mysqli_stmt_execute($stmt);
}
mail($mailTo, $name, $txt, $headers);
header("Location: contact.php?mailsend");
}
?>
contact_check.php
<?php
$data = "Admin";
//Template
$sql = "SELECT * FROM contact where name=?;";
//Prepared statement
$stmt = mysqli_stmt_init($conn);
if(mysqli_stmt_prepare($stmt, $sql)){
echo "error";
} else{
mysqli_stmt_bind_param($stmt, "s", $data);
//run parameters inside database
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
while($row = mysqli_fetch_assoc($result)){
echo $row["user_uid"] . "<br>";
}
}
?>
db.php
<?php
$dbServerName = "localhost";
$dbUserName = "root";
$dbPassword = "";
$dbName = "benoit";
$conn = mysqli_connect($dbServerName, $dbUserName, $dbPassword, $dbName);
if(mysqli_connect_error()){
echo"failed to connect to MYSQL" . mysqli_connect_error();
}
?>
答案 0 :(得分:1)
顺便说一句,您没有逃避可能会导致语法错误和SQL注入的用户输入。使用准备好的语句。 还要检查您的列名,在上面可能很可悲,可能是您引用了一个错误。