您的SQL语法错误;检查对应于您MariaDB的服务器版本使用附近的“正确的语法手册”,“1”,“7”,“123tw”)”在第2行你的SQL语法有错误;尝试提交表单时
我得到上述错误提交时形成。
<?php
session_start();
$branch=$_SESSION['branch'];
include('../dist/includes/dbcon.php');
$name = $_POST['prod_name'];
$price = $_POST['prod_price'];
$desc = $_POST['prod_desc'];
$supplier = $_POST['supplier'];
$reorder = $_POST['reorder'];
$category = $_POST['category'];
//$quantity = $_POST['prod_qty'];
$serialn = $_POST['serialn'];
$query2=mysqli_query($con,"select * from product where prod_name='$name' and branch_id='$branch'")or die(mysqli_error($con));
$count=mysqli_num_rows($query2);
if ($count>0)
{
echo "<script type='text/javascript'>alert('Product already exist!');</script>";
echo "<script>document.location='product.php'</script>";
}
else
{
$pic = $_FILES["image"]["name"];
if ($pic=="")
{
$pic="default.gif";
}
else
{
$pic = $_FILES["image"]["name"];
$type = $_FILES["image"]["type"];
$size = $_FILES["image"]["size"];
$temp = $_FILES["image"]["tmp_name"];
$error = $_FILES["image"]["error"];
if ($error > 0)
{
die("Error uploading file! Code $error.");
}
else{
if($size > 100000000000) //conditions for the file
{
die("Format is not allowed or file size is too big!");
}
else
{
move_uploaded_file($temp, "../dist/uploads/".$pic);
}
}
}
mysqli_query($con,"INSERT INTO product(prod_name,prod_price,prod_desc,prod_pic,cat_id,reorder,supplier_id,branch_id,serialn)
VALUES('$name','$price','$desc','$pic','$category', $reorder','$supplier','$branch','$serialn')")or die(mysqli_error($con));
echo "<script type='text/javascript'>alert('Successfully added new product!');</script>";
echo "<script>document.location='product.php'</script>";
}
?>
您是大开[SQL注入(http://php.net/manual/ en/security.database.sql-injection.php),并且应该真正使用[Prepared Statements](准备好的语句)(http://php.net/manual/en/mysqli.quickstart.prepared-statements.php),而不是连接你的查询。特别是因为你没有逃避用户输入! –
忘掉这个问题,首先用Prepared Statements重构你的代码(这将改变你的查询)并且你的问题很可能在这个过程中被解决。不要浪费时间调试你最近需要更新的不安全的代码。 –