奇怪的錯誤試圖插入一行到DB

Question

可能有人請xplain我爲什麼這個代碼中插入一本新書到我的數據庫得到這個錯誤：

ERROR: Could not able to execute INSERT INTO books (Email, Name, Price) VALUES (jacob.stern@mail.yu.edu, Jack turell's guide to life, $100). You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '@mail.yu.edu, Jack turell's guide to life, $100)' at line 2

session_start(); 
$book = $_POST["book"]; 
//$condition = $_PST["condition"]; 
$price = $_POST["price"]; 
$email = $_SESSION["email"]; 

    $book = $link->real_escape_string($book); 
    $price = $link->real_escape_string($price); 
    $email = $link->real_escape_string($email); 

    // Create connection 
    $link = mysqli_connect($servername, $username, $password, $dbname); 
    // Check connection 
    if($link === false){ 
    die("ERROR: Could not connect. " . mysqli_connect_error()); 
    } 


    if($email===null){ 
     header("Location: http://yutradecircle.com/index.html"); 
    } 
    else{ 
     $sql = "INSERT INTO books (Email, Name, Price) 
     VALUES ('{$email}', '{$book}', '{$price}')"; 

    if (mysqli_query($link, $sql)) { 
     echo "New record created successfully</br><a   href='tradecircle.php'>Home</a>"; 
     } else { 
      echo "ERROR: Could not able to execute $sql. " . mysqli_error($link); 
     } 

    } 
    mysqli_close($link); 

Answer 1

您需要的值添加引號，並根據需要逃避這些變量第一，以及因爲名字中有報價的錯誤。

$book = $link->real_escape_string($book); 
$email = $link->real_escape_string($email); 
$price = $link->real_escape_string($price); 

然後：

$sql = "INSERT INTO books (Email, Name, Price) VALUES ('$email', '$book', '$price')"; 

在一般建築琴絃一樣，是一個安全問題。檢查PDO並使用它或類似的庫來構建插入，以防止SQL注入。

Answer 2

您需要使用字符串引號值：

$sql = "INSERT INTO books (Email, Name, Price) VALUES ('$email', '$book', '$price')";