MySQL 和 PHP 意外的 T_Variable [英] MySQL and PHP Unexpected T_Variable
问题描述
好的,所以我写了一个 register.php 脚本,当命令尝试执行时,我得到了一个意外的 T 变量.错误出现在第 15 行
Okay, so I have a register.php script written and I get an unexpected T Variable when the command tries to execute. The error lies on line 15 at
('$_Post[username]','$_Post[sha_pass_hash]','$_Post[email]','2')";
根据 Dreamweaver 在第 20 行的说法,我的语法中还有第二个错误
I also have a second error in my syntax according to Dreamweaver at line 20 for
die('Error: ' . mysql_error());
如果有人可以提供帮助,将不胜感激.提前致谢.
If anyone could help it would be greatly appreciated. Thank you in advance.
推荐答案
STOP
直接从 post 插入数据库总是一个坏主意.这就是 PHP 目前坚持使用非常不直观的魔术引号的原因.
STOP
Inserting into a database directly from post is always a bad idea. This is the reason PHP is currently stuck with the very un-intuitive magic quotes.
您至少应该使用 mysql_real_escape_string() 来转义您的数据.例如:
You should at the very least be using mysql_real_escape_string() to escape your data. For example:
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
$query = "INSERT INTO users VALUES (
'" . mysql_real_escape_string($_POST["username"]) . "',
'" . mysql_real_escape_string($_POST["sha_pass_hash"]) . "',
'" . mysql_real_escape_string($_POST["email"]) . "',
'2'
)";
mysql_query($query);
您必须这样做的原因是基于安全性.例如,如果某些恶意将用户名字段设置为 ');DROP TABLE users;
无需先转义您的数据.您最终会盲目地运行以下查询:
The reason you have to do this is security based. For example if some malicious set the username field to '); DROP TABLE users;
without first escaping your data. You would end up blindly running the following query:
INSERT INTO users VALUES (''); DROP TABLE users;
对于您的应用程序来说,这当然不会有好的结局.
Which of course isn't going to end well for your application.
这是您应该做的最低要求.
实际上你真的应该转向MySQLi 这是一个更现代的 MySQL 界面.这是一个例子
In reality you should really be moving onto MySQLi Which is a much more modern MySQL interface. Here is an example
$mysqli = new mysqli('mysql_host', 'mysql_user', 'mysql_password', 'mysql_database');
$query = "INSERT INTO users VALUES (
'" . $mysqli->real_escape_string($_POST["username"]) . "',
'" . $mysqli->real_escape_string($_POST["sha_pass_hash"]) . "',
'" . $mysqli->real_escape_string($_POST["email"]) . "',
'2'
)";
$mysqli->query($query);
您甚至可以以程序风格使用 MySQL.因此,如果面向对象的编程不是您的能力范围内,那么您使用 MySQLi 不会有任何问题.
You can even use MySQL in a procedural style. So if Object orientated programing isn't with in your reach yet you will have no problems with MySQLi.
希望有所帮助.
这篇关于MySQL 和 PHP 意外的 T_Variable的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!