由于某种原因,我的广告功能有点麻烦。嗯,每次我按下添加表单上的提交按钮,就会出现这个错误。
你的SQL语法有错误;查看手册对应于MySQL服务器版本,以便使用正确的语法靠近"这里的内容,这里的内容",使它看起来像可读的英语。
现在我不完全讲mysql,所以这对我来说只是jiberish。我想知道你们中是否有人能给我解释一下。所讨论的代码以**突出显示,并以**结尾。此外,所有的strtolower/htmlentities/strip_tags是我第一次尝试防止sql注入和xss。这方面的任何帮助也很好。提前谢谢你。
$error = array();
//revalidate form in case javascript is disabled
if(isset($_POST['add'])){
$title = strtolower(htmlentities(strip_tags($_POST['title'])));
$price = strtolower(htmlentities(strip_tags($_POST['price'])));
$location = strtolower(htmlentities(strip_tags($_POST['location'])));
$cat = strtolower(htmlentities(strip_tags($_POST['list_one'])));
$sub = strtolower(htmlentities(strip_tags($_POST['list_two'])));
$description = htmlentities(strip_tags($_POST['description']));
$email = strtolower(htmlentities(strip_tags($_POST['email'])));
$password = strtolower(htmlentities(strip_tags($_POST['password'])));
if(empty($title) || empty($price) || empty($location) || strcmp($cat,'none') == 0
|| strcmp($sub,'none') == 0 || empty($description) || empty($email) || empty ($password)){
$error[] = 'Please fill in the form!';
}else if(!is_numeric($price)){
$error[] = 'Price must be numeric!';
}else if(!preg_match('/^[a-zA-Z0-9_]+$/', $title)){
$error[] = 'Title must be alphanumeric!';
}else if(!preg_match('/^[a-zA-Z]+$/', $location)){
$error[] = 'Location must be characters only!';
}else if(strlen($location) > 17){
$error[] = 'Your location may not be more than 17 characters!';
}else if(!preg_match('/^([A-Za-z0-9_'-'.])+'@([A-Za-z0-9_'-'.])+'.([A-Za-z]{2,4})$/',$email)){
$error[] = 'Your email is not in the correct format!';
}else if(strlen($password) < 6){
$error[] = 'Your password must be atleast 6 characters long!';
}else{
//no errors. check email and password match
$hashPass = md5($password);
$query_user = mysql_query("SELECT * FROM users WHERE email='$email'") or die(mysql_error());
if(mysql_num_rows($query_user) != 0){
while($row = mysql_fetch_array($query_user)){
$user_id = $row['id'];
$pass = $row['password'];
}
if(strcmp($hashPass,$pass) == 0){
**$insert_ad = mysql_query("INSERT INTO ads(id,user_id,title,price,location,category,sub_category,description,dateCreated)
VALUES('','$user_id','$title','$price','$location','$cat','$sub','$description',CURRENT_DATE())") or die(mysql_error());**
}else{
$error[] = 'Your password didn''t match the password in our system';
}
}else{
$insert_user = mysql_query("INSERT INTO users(id, email, password, vote_count) VALUES ('','$email','$hashPass', 0)") or die(mysql_error());
$user_id = mysql_insert_id();
**$insert_ad = mysql_query("INSERT INTO ads(id,user_id,title,price,location,category,sub_category,description, dateCreated)
VALUES ('', '$user_id', '$title', '$price', '$location', '$cat', '$sub', '$description', CURRENT_DATE())") or die(mysql_error());**
}
}
if(!empty($error)){
foreach($error as $key => $values){
$error_message = "$values";
}
header('Location: add.php?error_with_add'.urlencode($error_message));
exit();
}
}
?>
出现该错误的主要原因是没有转义引号。例如,下面是不转义的情况:
$query = "INSERT INTO foo (something) VALUES ('I'm really interested in coding here.')";
注意单引号是如何在i后面结束的。
但是当您使用mysql_real_escape_string, MySQLi或PDO转义该值时,它变成如下所示:
$query = "INSERT INTO foo (something) VALUES ('I''m really interested in coding here.')";
并且,没有显示错误,因为引号被转义了。