function insertVisitorInfoSignIn($att_id, $card_no, $purpose, $block, $level, $staff_email, $pa_email, $staff_id,$dept_id){
$time_in = getTime();
$sql = "insert into visitor_history (att_id, card_no, time_in, purpose, block, level, staff_email, pa_email, staff_id,dept_id)
values ($att_id, '$card_no', '$time_in', '$purpose', '$block', '$level', '$staff_email', '$pa_email', $staff_id,$dept_id)";
$rs = mysql_query($sql) or die ("Error in function insertVisitorInfoSignIn ");
}
这就是您正在使用的:
$sql = "insert into visitor_history
( att_id, card_no, time_in, purpose, block,
level, staff_email, pa_email, staff_id, dept_id)
values ( $att_id, '$card_no', '$time_in', '$purpose', '$block',
'$level', '$staff_email', '$pa_email', $staff_id, $dept_id)";
应该是这样的:
$sql = "insert into visitor_history
( att_id, card_no, time_in, purpose, block,
level, staff_email, pa_email, staff_id,dept_id)
values ( '$att_id', '$card_no', '$time_in', '$purpose', '$block',
'$level', '$staff_email', '$pa_email', '$staff_id', '$dept_id')";
在通过变量传递值时,您在查询中遗漏了某些变量中的''。
我们建议您使用mysql_real_escape_string()来防止您的数据库被SQL注入,也可以尝试使用mysqli或PDO,因为不赞成使用mysql扩展。