1. 首頁
  2. 問答
  3. SQL語法提交表單字段時出現錯誤值

SQL語法提交表單字段時出現錯誤值

2013-05-29 68 views
-1

我遇到了SQL問題。我已經嘗試了所有我找到的修復程序,但沒有任何效果。SQL語法提交表單字段時出現錯誤值

這是我在提交表單得到錯誤:

**Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'a')' at line 2**

它引用從文本field name="entity_name"

發送的字段的值來測試我的修訂對其他領域我在每個文本字段中隨機地輸入帶有撇號的文本。

除了第一個文本字段,一切都可以使用。而之前的錯誤會顯示所有文本字段和區域的語法問題。

我註釋掉$member = str_replace("'", "'", $member);

而且也註釋掉$member = mysql_real_escape_string($member);

兩個人都沒有固定的問題,但也不是$member = addslashes($member);

有人可以幫我找出爲什麼現實中仍然存在一個SQL語法問題呢?任何幫助,我可以得到將不勝感激。

這裏是我的代碼:

<?php 
session_start(); 
$con = mysql_connect("localhost","*******","*********"); 
if (!$con) 
    { 
    die('Could not connect: ' . mysql_error()); 
    } 

mysql_select_db("***********", $con); 

$memberlinksafe = $_POST['entity_name']; 

function strip_punctuation($memberlinksafe) { 
    $memberlinksafe = strtolower($memberlinksafe); 
    $memberlinksafe = preg_replace("/[:punct:]+/", "", $memberlinksafe); 
    $memberlinksafe = str_replace(" +", "", $memberlinksafe); 
    return $memberlinksafe; 
} 

//builds data from logo image to store into database 
$logofile = $_FILES['cover_photo']['tmp_name']; 

$logo = addslashes(file_get_contents($_FILES['cover_photo']['tmp_name'])); 
$logo_name = addslashes($_FILES['cover_photo']['tmp_name']); 

//build data from cover photo image to store into database 
$cover_photo_file = $_FILES['cover_photo']['tmp_name']; 

$cover_photo = addslashes(file_get_contents($_FILES['cover_photo']['tmp_name'])); 
$cover_photo_name = addslashes($_FILES['cover_photo']['tmp_name']); 

//build data from search photo image to store into database 
$search_image_file = $_FILES['cover_photo']['tmp_name']; 

$search_image = addslashes(file_get_contents($_FILES['cover_photo']['tmp_name'])); 
$search_image_name = addslashes($_FILES['cover_photo']['tmp_name']); 

$member = $_POST['member']; 
$member = addslashes($member); 
//$member = str_replace("'", "&#039;", $member); 
//$member = mysql_real_escape_string($member); 

//$entity_name = $_POST[entity_name]; 
//$entity_name = addslashes($entity_name); 
//$entity_name = str_replace("'", "&#039;", $entity_name); 

$keywords = $_POST['keywords']; 
$keywords = addslashes($keywords); 

$street_address = $_POST['street_address']; 
$street_address = addslashes($street_address); 

$city = $_POST['city']; 
$city = addslashes($city); 

$st = $_POST['st']; 
$st = addslashes($st); 

$mailcode = $_POST['mailcode']; 
$mailcode = addslashes($mailcode); 

$website = $_POST['website']; 
$website = addslashes($website); 

$fb_url = $_POST['fb_url']; 
$fb_url = addslashes($fb_url); 

$hours = $_POST['hours']; 
$hours = addslashes($hours); 

$ph_number = $_POST['ph_number']; 
$ph_number = addslashes($ph_number); 

$body_header = $_POST['body_header']; 
$body_header = addslashes($body_header); 
//$body_header = str_replace("'", "&#039;", $body_header); 

$body_text = $_POST['body_text']; 
$body_text = str_replace("'", "&#039;", $body_text); 

$search_blurb = $_POST['search_blurb']; 
$search_blurb = str_replace("'", "&#039;", $search_blurb); 

$sql="INSERT INTO *********** (entity_name, category, keywords, street_address, community_id, city, st, country, mailcode, website, fb_url, email, hours, ph_number, body_header, body_text, search_blurb, dd, ad, ed, gd, md, vd, pd, logo, logofilename, cover_photo, coverphotofilename, search_image, searchimagefilename, memberlinksafe) 
VALUES ('$member','$_POST[category]','$keywords','$street_address','$_POST[community_id]','$city','$st','$_POST[country]','$mailcode','$website','$fb_url','$_POST[email]','$hours','$ph_number','$body_header','$body_text','$search_blurb','$_POST[dd]','$_POST[ad]','$_POST[ed]','$_POST[gd]','$_POST[md]','$_POST[vd]','$_POST[pd]','$logo','$logo_name','$cover_photo','$cover_photo_name','$search_image','$search_image_name','$memberlinksafe')"; 

if (!mysql_query($sql,$con)) 
    { 
    die('Error: ' . mysql_error()); 
    } 
echo "<h1>Thank you for submitting your details!</h1><br><p><a href='business-attraction.php'>Add another</a> business/attraction.</p>"; 

mysql_close($con); 

?>

來源

2013-05-29 Jeff Peak

+0

使用PDO或mysqli的,具體而言,使用預處理語句將整理您的問題。 – hd1

+0

這裏有很多錯誤,但首先你應該使用PDO並準備好語句,因爲'mysql_ *'擴展名已被棄用。許多轉義和SQL注入漏洞只能通過移動來解決。 – doublesharp

+0

一個警告 - 在您的SQL查詢字符串中直接包含$ _POST變量可以實現SQL注入攻擊。 –

回答

0

第一我可以在查詢中那些是錯看,你需要引號內的POST,你需要逃避他們也。

$dd = mysql_real_escape_string($_POST["dd"]) ;

改變這種

'$_POST[dd]','$_POST[ad]','$_POST[ed]','$_POST[gd]','$_POST[md]','$_POST[vd]','$_POST[pd]' 


'$dd','$_POST["ad"]','$_POST["ed"]','$_POST["gd"]','$_POST["md"]','$_POST["vd"]','$_POST["pd"]', 
^^---//continue with other variables escaped like this one

來源

2013-05-29 19:02:51

+0

echo_Samir - 我已經按照你的要求做了這個改變,錯誤仍然存​​在,但仍然只有第一個變量。 –

+0

什麼第一個變量?並請提交你正在得到什麼錯誤。 –

+0

$ member這是表單提交後在瀏覽器中顯示的錯誤。錯誤:您的SQL語法有錯誤;檢查與您的MySQL服務器版本相對應的手冊,在第1行附近的'a')'處使用正確的語法 –

相關問題

 相關問題