我已经通过我的73年5月1日MySQL手册,我只是无法找到语法错误是,MySQL是给我,当我尝试发布/得到的东西:这是什么MySQL的语法错误?
mysqli_query($connect,'INSERT INTO serial (name, company, algo, country, notes) VALUES ('.$_GET['name'].','.$_GET['company'].','.$_GET['algo'].','.$_GET['country'].','.$_GET['notes'].')');
MySQL的错误:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FCINGZ000***,Unknown,Thanks)' at line 1
您应该将$_GET值分配给变量以防止出现语法错误。另外,使用mysqli_real_escape_string()来防止MySQL注入。
$name = mysqli_real_escape_string($connect, $_GET['name']);
$company = mysqli_real_escape_string($connect, $_GET['company']);
$algo = mysqli_real_escape_string($connect, $_GET['algo']);
$country = mysqli_real_escape_string($connect, $_GET['country']);
$notes = mysqli_real_escape_string($connect, $_GET['notes']);
mysqli_query($connect, "INSERT INTO serial (name, company, algo, country, notes) VALUES ('$name', '$company', '$algo', '$country', '$notes')");
请发布错误消息并搜索SQL注入。你可能会错过你的字符串值的单引号(''')。 – ccKep
@ccKep您的SQL语法有错误;检查与您的MySQL服务器版本相对应的手册,在第一行使用'FCINGZ000 ***,Unknown,Thanks'附近的正确语法'' – Kirsty
使用准备好的语句可以解决这个问题(你缺少围绕字符串值的引号)还将修复您拥有的巨大SQL注入漏洞,请参阅[如何防止PHP中的SQL注入?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in -php) –