我已經通過我的73年5月1日MySQL手冊,我只是無法找到語法錯誤是,MySQL是給我,當我嘗試發佈/得到的東西:這是什麼MySQL的語法錯誤?
mysqli_query($connect,'INSERT INTO serial (name, company, algo, country, notes) VALUES ('.$_GET['name'].','.$_GET['company'].','.$_GET['algo'].','.$_GET['country'].','.$_GET['notes'].')');
MySQL的錯誤:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FCINGZ000***,Unknown,Thanks)' at line 1
您應該將$_GET值分配給變量以防止出現語法錯誤。另外,使用mysqli_real_escape_string()來防止MySQL注入。
$name = mysqli_real_escape_string($connect, $_GET['name']);
$company = mysqli_real_escape_string($connect, $_GET['company']);
$algo = mysqli_real_escape_string($connect, $_GET['algo']);
$country = mysqli_real_escape_string($connect, $_GET['country']);
$notes = mysqli_real_escape_string($connect, $_GET['notes']);
mysqli_query($connect, "INSERT INTO serial (name, company, algo, country, notes) VALUES ('$name', '$company', '$algo', '$country', '$notes')");
請發佈錯誤消息並搜索SQL注入。你可能會錯過你的字符串值的單引號(''')。 – ccKep
@ccKep您的SQL語法有錯誤;檢查與您的MySQL服務器版本相對應的手冊,在第一行使用'FCINGZ000 ***,Unknown,Thanks'附近的正確語法'' – Kirsty
使用準備好的語句可以解決這個問題(你缺少圍繞字符串值的引號)還將修復您擁有的巨大SQL注入漏洞,請參閱[如何防止PHP中的SQL注入?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in -php) –