我正在尝试运行mySQL插入语句,如下所示:
function insertAppointment($connection, $id, $firstname, $lastname, $email, $phone, $date, $time){
$sql = "INSERT INTO `appointments` (firstname, lastname, email, phone, app_date, app_time) VALUES ('" . $id . "', '" . $firstname . "', '" . $lastname . "', '" . $email . "', " . $date . ", " . $time . ")";
$connection->query($sql);
}
$connection是我的连接字符串,这不是问题所在。我可以用它来选择这样的语句:
function getTakenDates($connection){
$query = mysqli_query($connection, "SELECT app_date, app_time FROM `appointments`");
$results = array();
while($row = mysqli_fetch_assoc($query)){
$results[] = $row;
}
return $results;
}
您很容易受到SQL注入攻击,并且使用$date/$time值创建了不正确的查询:
INSERT .... VALUES (..., 2014-11-10, 14:58:00)
由于您的日期值是不带引号的,您实际上将尝试插入该数学运算的结果(记住,如果-
不在字符串中,它就是SUBTRACTION),14:58:00是一个完全无效的数字-mysql不知道:
字符是什么。
你想要
$sql = "[..snip..] "', '" . $date . "', '" . $time . "')";
^-------------^--^-------------^----
相反。注意多余的引号。这将产生
INSERT .... VALUES (..., '2014-11-10', '14:58:00')