mysqli_query通过变量输入 [英] mysqli_query inputs via variable

问题描述

我正在尝试使用以下PHP代码将信息添加到MySQL表中. (输入HTML5基本网络表单的名称和文本.)可能是语法问题?

I'm trying to add information to a MySQL table using the following PHP code. (The input the name and text from an HTML5 basic web form.) Probably a syntax issue?

<?php
include "dbinfo.php"; //contains mysqli_connect information (the $mysqli variable)
//inputs
$name = $_GET["name"];
$text = $_GET["text"];

$sqlqr = 'INSERT INTO `ncool`.`coolbits_table` (`name`, `text`, `date`) VALUES ("$name", "$text", CURRENT_TIMESTAMP);'; //the query. I'm pretty sure that the problem is a syntax one, and is here somewhere.

mysqli_query($mysqli,$sqlqr); //function where the magic happens.
?>

没有引发错误.屏幕空白，并将带有"$ name"和"$ text"的行添加到MySQL表中.

No error is thrown. A blank screen results, and a row with "$name" and "$text" is added to the MySQL table.

推荐答案

这是您代码的外观(带有SQL注入保护):

<?php
include "dbinfo.php"; //contains mysqli_connect information (the $mysqli variable)
//inputs
$name = mysqli_real_escape_string($_GET['name']);
$text = mysqli_real_escape_string($_GET['text']);

$sqlqr = "INSERT INTO `ncool`.`coolbits_table` (`name`, `text`, `date`) VALUES ('" . $name . "', '" . $text . "', CURRENT_TIMESTAMP);";

mysqli_query($mysqli,$sqlqr); //function where the magic happens.
?>

看看我做了什么.首先，我已将要检索的用户输入转义到$name和$text变量中(出于安全原因，这几乎是必须的)，并且正如其他人所建议的那样，您最好使用准备好的语句.

Take a look at what I've done. Firstly I've escaped the user input you're retrieving into the $name and $text variables (this is pretty much a must for security reasons) and as others have suggested you should preferably be using prepared statements.

问题是您没有用单引号(')括住字符串值，这是SQL语法的要求.

The problem is that you weren't surrounding string values with single quotes ('), which is a requirement of the SQL syntax.

我希望这有助于回答您的问题.

I hope this helps to answer your question.

这篇关于mysqli_query通过变量输入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！