mysqli_query 通过变量输入
我正在尝试使用以下 PHP 代码向 MySQL 表添加信息.(从 HTML5 基本 Web 表单输入名称和文本.)可能是语法问题?
I'm trying to add information to a MySQL table using the following PHP code. (The input the name and text from an HTML5 basic web form.) Probably a syntax issue?
<?php
include "dbinfo.php"; //contains mysqli_connect information (the $mysqli variable)
//inputs
$name = $_GET["name"];
$text = $_GET["text"];
$sqlqr = 'INSERT INTO `ncool`.`coolbits_table` (`name`, `text`, `date`) VALUES ("$name", "$text", CURRENT_TIMESTAMP);'; //the query. I'm pretty sure that the problem is a syntax one, and is here somewhere.
mysqli_query($mysqli,$sqlqr); //function where the magic happens.
?>
没有抛出错误.一个空白的屏幕结果,一个带有$name"和$text"的行被添加到 MySQL 表中.
No error is thrown. A blank screen results, and a row with "$name" and "$text" is added to the MySQL table.
推荐答案
这就是您的代码的外观(添加了 SQL 注入保护):
<?php
include "dbinfo.php"; //contains mysqli_connect information (the $mysqli variable)
//inputs
$name = mysqli_real_escape_string($_GET['name']);
$text = mysqli_real_escape_string($_GET['text']);
$sqlqr = "INSERT INTO `ncool`.`coolbits_table` (`name`, `text`, `date`) VALUES ('" . $name . "', '" . $text . "', CURRENT_TIMESTAMP);";
mysqli_query($mysqli,$sqlqr); //function where the magic happens.
?>
看看我做了什么.首先,我已经将您正在检索的用户输入转义到 $name
和 $text
变量中(出于安全原因,这几乎是必须的),正如其他人所建议的您最好使用准备好的语句.
Take a look at what I've done. Firstly I've escaped the user input you're retrieving into the $name
and $text
variables (this is pretty much a must for security reasons) and as others have suggested you should preferably be using prepared statements.
问题是您没有用单引号 (') 将字符串值括起来,这是 SQL 语法的要求.
The problem is that you weren't surrounding string values with single quotes ('), which is a requirement of the SQL syntax.
我希望这有助于回答您的问题.
I hope this helps to answer your question.
相关文章