1. 首頁
  2. 問答
  3. 問題與MySQL

問題與MySQL

2012-12-11 68 views
-2

可能重複:
How to prevent SQL injection?問題與MySQL

隨着我的劇本時,我複製從Gmail和過去在我的腳本的話題,將其添加爲題突然我面對這問題。

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'no matter where the" at line 2

發生此問題只是當我從Gmail中複製,雖然我過去它記事本,然後我把它複製到我的劇本

這是我的代碼添加一個話題:

<?php 
@session_start(); 


if (!$_SESSION['username']){ 
echo "<meta http-equiv='refresh' content='0; url=../login.php'/>"; 
    exit(); 
} 

?> 

<?php include "../config.php";?> 
<html> 
<head> 

<meta charset="utf-8"/> 
<link rel="stylesheet" type="text/css" href="admin.css" media="screen"/> 



</head> 
<body> 

<!-- TinyMCE --> 
<script type="text/javascript" src="../editor/tiny_mce.js"></script> 
<script type="text/javascript"> 
    tinyMCE.init({ 
     // General options 
     mode : "textareas", 
     theme : "advanced", 
     plugins : "autolink,lists,pagebreak,style,layer,table,save,advhr,advimage,advlink,emotions,iespell,inlinepopups,insertdatetime,preview,media,searchreplace,print,contextmenu,paste,directionality,fullscreen,noneditable,visualchars,nonbreaking,xhtmlxtras,template,wordcount,advlist,autosave", 

     // Theme options 
     theme_advanced_buttons1 : "bold,italic,underline,strikethrough,|,justifyleft,justifycenter,justifyright,justifyfull,styleselect,formatselect,fontselect,fontsizeselect", 
     theme_advanced_buttons2 : "bullist,numlist,|,link,unlink,anchor,cleanup,insertdate,inserttime,preview,|,forecolor,backcolor,hr,|,fullscreen,,ltr,rtl", 
     theme_advanced_buttons3 : "media,removeformat,cleanup", 
     theme_advanced_buttons4 : "", 
     theme_advanced_toolbar_location : "top", 
     theme_advanced_toolbar_align : "right", 
     theme_advanced_statusbar_location : "bottom", 
     theme_advanced_resizing : true, 


     // Example content CSS (should be your site CSS) 
     content_css : "css/content.css", 

     // Drop lists for link/image/media/template dialogs 
     template_external_list_url : "lists/template_list.js", 
     external_link_list_url : "lists/link_list.js", 
     external_image_list_url : "lists/image_list.js", 
     media_external_list_url : "lists/media_list.js", 

     // Style formats 
     style_formats : [ 
      {title : 'Bold text', inline : 'b'}, 
      {title : 'Red text', inline : 'span', styles : {color : '#ff0000'}}, 
      {title : 'Red header', block : 'h1', styles : {color : '#ff0000'}}, 
      {title : 'Example 1', inline : 'span', classes : 'example1'}, 
      {title : 'Example 2', inline : 'span', classes : 'example2'}, 
      {title : 'Table styles'}, 
      {title : 'Table row 1', selector : 'tr', classes : 'tablerow1'} 
     ], 

     // Replace values for the template plugin 
     template_replace_values : { 
      username : "Some User", 
      staffid : "991234" 
     } 
    }); 
</script> 
<!-- /TinyMCE --> 











<?php 



#=======================================insert news========================================== 
if ($_POST['submit']){ 

$topic_title =$_POST['topic_title']; 
$topic   =$_POST['topic']; 
$id_topic  =$_POST['topic_sec']; 
$image1   =$_POST['image1']; 
$image2   =$_POST['image2']; 
$today   =gmdate("d,m,Y"); 
$date   =$_POST['date']; 
$status   =$_POST['status']; 


$insert=mysql_query("insert into topics values('','$topic_title','$image1','$image2', 
'$id_topic','$topic','$today','','$status')")or die (mysql_error()); 
} 
if ($insert){echo "<script>alert(\"topic has been added\");</script> 
<meta http-equiv='refresh' content='0; url=topics.php'/> 
";} 

?> 



<div id='right'>add a new topic</div> 


<form action='' method='post' dir='rtl'> 
<table width='100%' cellpadding='5' cellspacing='10' dir='rtl'> 
<tr> 
<td>topic title</td> 
<td><input type='text' name='topic_title' id='topic_title'/></td> 
</tr> 

<tr> 
<td>upper image</td> 
<td><input type='text' name='image1' size='70%'/></td> 
</tr> 

<td>left image</td> 
<td><input type='text' name='image2' size='70%'/></td> 
</tr> 



<tr> 
<td>topic section</td> 
<td> 
<select name='topic_sec'> 

<?php 
$select=mysql_query("select * from sections")or die (mysql_error()); 
while ($row=mysql_fetch_object($select)){ 
echo "<option value='$row->id_sec'>$row->sec_name</option>"; 
} 

?> 

</select> 
</td> 
</tr> 

<tr> 
<td>topic</td> 
<td > 
<textarea cols='100' rows='25' name='topic' ></textarea> 
</td> 
</tr> 

<tr> 
<td>state</td> 
<td> 
<select name='status'> 
<option value='1'>active</option> 
<option value='2'>unactive</option> 
</select> 
</td> 
</tr> 

<tr> 
<td colspan='2' ><input type='submit' id='subbot' name='submit' value='add'/></td> 
</tr> 


</table> 
<input type='hidden' name='date' value='<?=$today;?>'/> 

</form> 
<br/> 


</body> 
</html>

來源

2012-12-11 user1692901

+1

您要複製的文本是否包含單引號字符?他們需要逃脫。 – MichaelRushton

+3

爲什麼要發佈整個頁面,其中唯一的問題是SQL語法錯誤? –

+0

是否所有的字段都是VARCHARS?如果沒有,你必須刪除一些引號。 –

回答

0

你可以使用mysql_real_escape_string()將它們插入到數據庫之前,淨化你的變量 - 應採取的單引號的任何問題護理等

順便說一句,你笑在將它們插入到數據庫中以防止SQL注入攻擊之前,它至少要對POST變量進行一些清理(至少是mysql_real_escape_string())。

來源

2012-12-11 17:34:31

+0

謝謝你們的proplem已經通過使用mysql_real_escape – user1692901

相關問題

 相關問題