,当我张贴的东西进入我的HTML形式,例如在第一个名称字段,我输入:SQL语法错误/字符recogition
'John', i am getting the following error:
错误查询。
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Smith',Address_Line_1='rtuy657tr',Address_Line_2='',City='leicester',Postcode='L' at line 1
我知道它有什么做的mysql_real_escape_string()
功能,但我会怎么使用它插入到数据库。我已经开始功能:
function db_insert_preparation(){
}
$con = mysql_connect("localhost","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("project1", $con);
这是它需要使用:
$sql2 = "INSERT INTO `".$table_name."` (`Group`, `Date_Of_Birth`, `Gender`, `Title`, `First_Name`, `Last_Name`, `Address_Line_1`, `Address_Line_2`, `City`, `Postcode`, `Contact_No`, `Email`, `Additional_Comment`, `Upload_File`) VALUES ('".db_insert_preparation($group)."','".$_POST[dateofbirth]."','".$_POST[gender]."','".$_POST[title]."','".$_POST[firstname]."','".$_POST[lastname]."','".$_POST[address1]."','".$_POST[address2]."','".$_POST[city]."','".$_POST[postcode]."','".$_POST[contactno]."','".$_POST[email]."','".$_POST[note]."','".$filename."')";
我是否需要定制功能? – mayman212
是的,在将它传递给服务器之前,请始终过滤输入。否则,它很容易SQL注入...! –
这是有效的吗? ''.mysql_real_escape_string($ _ POST [firstname])。“','”。mysql_real_escape_string($ _ POST [lastname])。'' – mayman212