php SQL 语法错误 MariaDB 服务器版本,用于在第 1 行的“@hotmail.com,Employee)”附近使用正确的语法
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/42186938/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
SQL syntax error MariaDB server version for the right syntax to use near '@hotmail.com,Employee)' at line 1
提问by sajaNgaKavaja
I am trying to make a sign up page using php and then when I write the mysql statements below it won't accept it rather it will spit out an error which I am trying to figure out for hours now.
我正在尝试使用 php 制作一个注册页面,然后当我在下面编写 mysql 语句时,它不会接受它,而是会吐出一个错误,我现在正试图找出几个小时。
$query = "INSERT INTO users(username, password,name,surname,email,role)VALUES($username, $password,$name,$lastname,$email,$role)";
$stmt = mysqli_prepare ($dbh, $query) or die(mysqli_error($dbh));
The error that shows is:
显示的错误是:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '@hotmail.com,Employee)' at line 1.
您的 SQL 语法有错误;检查与您的 MariaDB 服务器版本相对应的手册,了解在第 1 行的“@hotmail.com,Employee)”附近使用的正确语法。
回答by hartwecm
Make sure you use proper quotes if you insert strings:
如果插入字符串,请确保使用正确的引号:
$query = "INSERT INTO users(username, password,name,surname,email,role)VALUES('$username', '$password','$name','$lastname','$email','$role')";
回答by Qirel
You start to use prepared statements, but then you turn around and insert variables directly into the query - don't do that, as it directly defeats the purpose of using prepare(). Bind your variables instead.
您开始使用准备好的语句,但随后您转过身将变量直接插入到查询中 - 不要这样做,因为它直接违背了使用prepare(). 而是绑定您的变量。
$query = "INSERT INTO users(username, password, name, surname, email, role) VALUES (?, ?, ?, ?, ?)";
$stmt = mysqli_prepare($dbh, $query) or die(mysqli_error($dbh));
$stmt->bind_param('sssss', $username, $password, $name, $lastname, $email, $role);
$stmt->execute();
$stmt->close();
Your original error came due to lack of quotes around strings in the query, but when using prepared statements with placeholders, you shouldn't have it either.
您最初的错误是由于查询中的字符串周围缺少引号引起的,但是当使用带有占位符的准备好的语句时,您也不应该有它。
If you've used mysqli_real_escape_string()on your variables that you insert, you should now remove that - as these variables are now parameterized in the query.
如果您在mysqli_real_escape_string()插入的变量上使用过,则现在应该删除它 - 因为这些变量现在已在查询中参数化。
See the below links and documentation
请参阅以下链接和文档
回答by Roman
For security reasons you should not use the variables inside the query.
出于安全原因,您不应在查询中使用变量。
Instead use this:
而是使用这个:
$stmt = mysqli_prepare($link, "INSERT INTO users(username, password,name,surname,email,role)VALUES(?,?,?,?,?,?)");
mysqli_stmt_bind_param($stmt, 'ssssss', $password, $name, $surname, $email, $role);
mysqli_stmt_execute($stmt);
Take a look at the php-documentation:
看看php文档:
