MySQL 和 PHP 意外的 T_Variable [英] MySQL and PHP Unexpected T_Variable

问题描述

好的，所以我写了一个 register.php 脚本，当命令尝试执行时，我得到了一个意外的 T 变量.错误出现在第 15 行

Okay, so I have a register.php script written and I get an unexpected T Variable when the command tries to execute. The error lies on line 15 at

('$_Post[username]','$_Post[sha_pass_hash]','$_Post[email]','2')";

根据 Dreamweaver 在第 20 行的说法，我的语法中还有第二个错误

I also have a second error in my syntax according to Dreamweaver at line 20 for

    die('Error: ' . mysql_error());

如果有人可以提供帮助，将不胜感激.提前致谢.

If anyone could help it would be greatly appreciated. Thank you in advance.

推荐答案

STOP

直接从 post 插入数据库总是一个坏主意.这就是 PHP 目前坚持使用非常不直观的魔术引号的原因.

STOP

Inserting into a database directly from post is always a bad idea. This is the reason PHP is currently stuck with the very un-intuitive magic quotes.

您至少应该使用 mysql_real_escape_string() 来转义您的数据.例如:

You should at the very least be using mysql_real_escape_string() to escape your data. For example:

$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());

$query = "INSERT INTO users VALUES (
    '" . mysql_real_escape_string($_POST["username"]) . "',
    '" . mysql_real_escape_string($_POST["sha_pass_hash"]) . "',
    '" . mysql_real_escape_string($_POST["email"]) . "',
    '2'
)";

mysql_query($query);

您必须这样做的原因是基于安全性.例如，如果某些恶意将用户名字段设置为 ');DROP TABLE users; 无需先转义您的数据.您最终会盲目地运行以下查询:

The reason you have to do this is security based. For example if some malicious set the username field to '); DROP TABLE users; without first escaping your data. You would end up blindly running the following query:

INSERT INTO users VALUES (''); DROP TABLE users;

对于您的应用程序来说，这当然不会有好的结局.

Which of course isn't going to end well for your application.

这是您应该做的最低要求.

实际上你真的应该转向MySQLi 这是一个更现代的 MySQL 界面.这是一个例子

In reality you should really be moving onto MySQLi Which is a much more modern MySQL interface. Here is an example

$mysqli = new mysqli('mysql_host', 'mysql_user', 'mysql_password', 'mysql_database');

$query = "INSERT INTO users VALUES (
    '" . $mysqli->real_escape_string($_POST["username"]) . "',
    '" . $mysqli->real_escape_string($_POST["sha_pass_hash"]) . "',
    '" . $mysqli->real_escape_string($_POST["email"]) . "',
    '2'
)";

$mysqli->query($query);

您甚至可以以程序风格使用 MySQL.因此，如果面向对象的编程不是您的能力范围内，那么您使用 MySQLi 不会有任何问题.

You can even use MySQL in a procedural style. So if Object orientated programing isn't with in your reach yet you will have no problems with MySQLi.

希望有所帮助.

这篇关于MySQL 和 PHP 意外的 T_Variable的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！