mysqli 插入错误不正确的语法

时间:2023-03-06
本文介绍了mysqli 插入错误不正确的语法的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

问题描述

我知道很多人偶尔会遇到同样的错误,但是我已经查看了所有以前的答案和我的代码,并且我尝试了带有和不带有反引号的 col这是我当前的代码我也尝试过 $var 以及 $var 但相同的

I know a lot of people have the same error occasionally however I have looked at all previous answers and my code and i have tried col with and without backticks Here is my current code I also have tried with $var as well as just $var but same

if(!empty($_POST['email'])){
 $date = date('dmY'); #Todays Date
 $ip = str_replace('.','',$_SERVER['REMOTE_ADDR']); #Visitor IP
 $verify = md5($date.$ip); #MD5 ENCRYPT THE 2 VALUES
 $fname = $_POST['fname'];
 $lname = $_POST['lname'];  
 $email = $_POST['email'];
 $password = md5($_POST['password']);
 $link = mysqli_connect($dbh,$dbu, $dbp, $dbn);

 $query = mysqli_query($link, "INSERT INTO `users` (`email`,`fname`,`lname`,`verify`,`password`,`joined`)
VALUES($email,$fname,$lname,$verify,$password,$date)");

 if($query){ 
  echo "inserted"; 
 }
 else { 
  echo mysqli_error($link);
 }

表中还有其他列,但是只有上面的列我想为其余的添加数据,最初可以使用默认值

There are other columns in the table however its only the above columns I want to add data for the rest can use default values initially

我一直在看这段代码,现在我只是无法发现我的问题,我知道它有些愚蠢

I've been looking at this code for so long now I just cant spot my problem, I know its something silly

推荐答案

将变量添加到 SQL 查询中最不会出错的方法是通过准备好的语句添加它.

The most mistake-proof way to add a variable into an SQL query is to add it through a prepared statement.

因此,对于您运行的每个查询,如果至少要使用一个变量,您必须用占位符替换它,然后准备您的查询,然后执行它,分别传递变量.

So, for every query you run, if at least one variable is going to be used, you have to substitute it with a placeholder, then prepare your query, and then execute it, passing variables separately.

首先,您必须更改查询,添加占位符来代替变量.您的查询将变为:

First of all, you have to alter your query, adding placeholders in place of variables. Your query will become:

$sql = "INSERT INTO users (fname, lname) VALUES (?, ?)";

然后,您必须准备它,绑定变量并执行:

Then, you will have to prepare it, bind variables, and execute:

$stmt = mysqli_prepare($conn, $sql);
mysqli_stmt_bind_param($stmt, "ss", $fname, $lname);
mysqli_stmt_execute($stmt);

如您所见,它只是三个简单的命令:

As you can see, it's just three simple commands:

  • prepare() 用于发送带有占位符的查询
  • bind_param 用于发送带有类型的字符串(s"表示字符串,实际上您可以将它用于任何类型)而不是实际变量.
  • 并执行()

通过这种方式,您可以始终确保添加到查询中的数据不会导致任何 SQL 语法错误!作为奖励,此代码也可以防止 SQL 注入!

This way, you can always be sure that not a single SQL syntax error can be caused by the data you added to the query! As a bonus, this code is bullet-proof against SQL injection too!

了解仅在变量周围添加引号是不够的非常重要,并且最终会导致无数问题,从语法错误到 SQL 注入.另一方面,由于准备好的语句的性质,它是一种防弹解决方案,不可能通过数据变量引入任何问题.

It is very important to understand that simply adding quotes around a variable is not enough and will eventually lead to innumerable problems, from syntax errors to SQL injections. On the other hand, due to the very nature of prepared statements, it's a bullet-proof solution that makes it impossible to introduce any problem through a data variable.

这篇关于mysqli 插入错误不正确的语法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

上一篇:使用 MySQLi 的 SUM 的单个结果 下一篇:有没有办法打印 mysqli->execute() 所做的实际查询?

相关文章