我试图从表单中插入一些数据,并且每次“查询数据库时出错”都会出错 我的编码就是这个
<?php
$dbc = mysqli_connect('localhost', 'root', '', 'askquestion')
or die('Error connecting to MySQL server.');
$first_name=$_POST['firstname'];
$last_name=$_POST['lastname'];
$email=$_POST['email'];
$password=$_POST['password'];
$state=$_POST['state'];
$city=$_POST['city'];
$category=$_POST['category'];
$query = "INSERT INTO signup (first_name, last_name, email, password, state, city, category) VALUES ('$first_name', '$last_name', $email, $password, $state, $city, $category)";
$result=mysqli_query($dbc, $query) or die('Error querying database.'). mysql_error();;
echo 'you are registered...!';
mysqli_close($dbc);
?>
答案 0 :(得分:1)
你很容易被SQL Injection attacks攻击。始终使用mysql_real_escape_string()
转义传入的POST值。这有助于防止SQL注入,并确保在查询语句中使用的具有特殊字符的所有值都被正确转义(例如引号)。
此外,请确保VALUES语句中的所有字符串值都正确包装在引号中。
答案 1 :(得分:0)
查看您的查询,
'$last_name', $email, $password, $state, $city, $category)
你应该:
$query = "INSERT INTO signup (first_name, last_name, email, password, state, city, category) VALUES ('$first_name', '$last_name', '$email', '$password', '$state', '$city', '$category')";
另外,尝试使用
die(mysql_error());
正在开发中
对于SQL安全性,您应始终转义每个输入值:
$first_name=mysql_real_escape_string($_POST['firstname']);
答案 2 :(得分:0)
将值插入数据库时,您需要围绕变量或值作为字符串的引号,您不需要围绕整数/浮点数或数字的引号。
我假设您从POST超级全局获取的所有值都是文本字符串。因此替换为:(如果这不起作用,请检查您的表结构):
$query = "INSERT INTO signup (first_name, last_name, email, password, state, city, category) VALUES ('$first_name', '$last_name', $email, $password, $state, $city, $category)";
用这个:
$query = "INSERT INTO signup (first_name, last_name, email, password, state, city, category) VALUES ('$first_name', '$last_name', '$email', '$password', '$state', '$city', '$category')";
有关详情,请参阅此处:http://www.w3schools.com/sql/sql_insert.asp