插入 MySQL 表 PHP
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/17138561/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Insert into MySQL Table PHP
提问by Jake Ols
I am having some trouble making a simple form to insert data into a MySQL table. I keep getting this SQL error:
我在制作一个简单的表单以将数据插入 MySQL 表时遇到了一些麻烦。我不断收到此 SQL 错误:
"Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'stock ('ItemNumber', 'Stock') VALUES ('#4','3'')' at line 1"
“错误:您的 SQL 语法有错误;请检查与您的 MySQL 服务器版本相对应的手册,了解在 'stock ('ItemNumber', 'Stock') VALUES ('#4','3') 附近使用的正确语法')' 在第 1 行"
My HTMLfor the form is:
我的表单HTML是:
<form action="database.php" method="post">
Item Number: <input type="text" name="ItemNumber">
Stock: <input type="text" name="Stock">
<input type="submit">
</form>
And the PHPis:
而PHP是:
<?php
$con=mysqli_connect("localhost","root","root","inventory");
if (mysqli_connect_errno($con))
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$sql = "INSERT INTO current stock ('ItemNumber', 'Stock')
VALUES
('$_POST[ItemNumber]','$_POST[Stock]'')";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
回答by echo_Me
try this
尝试这个
you should not use quotes of parameter around POST . and you should use them inside POST
你不应该在 POST 周围使用参数的引号。你应该在 POST 中使用它们
$sql = "INSERT INTO `current stock` (ItemNumber, Stock)
VALUES
('".$_POST['ItemNumber']."', '".$_POST['Stock']."' )";
you should escape your variables before you insert them to mysql like that
在像这样将变量插入 mysql 之前,您应该对其进行转义
- Note that the example does not call
mysqli_real_escape_string. You would only need to usemysqli_real_escape_stringif you were embedding the string directly in the query, but I would advise you to never do this. Always use parameters whenever possible.
- 请注意,该示例不会调用
mysqli_real_escape_string.mysqli_real_escape_string如果您直接在查询中嵌入字符串,则只需要使用,但我建议您永远不要这样做。尽可能始终使用参数。
回答by John Conde
You have an extra quote and you need ticks around your table name as it contains a space.
你有一个额外的引号,你需要在你的表名周围打勾,因为它包含一个空格。
INSERT INTO current stock ('ItemNumber', 'Stock')
VALUES
('$_POST[ItemNumber]','$_POST[Stock]'')";
should be:
应该:
INSERT INTO `current stock` (`ItemNumber`, `Stock`)
VALUES
('$_POST[ItemNumber]','$_POST[Stock]')";
FYI, you also wide open to SQL injections
回答by Niraj
?php
$conn=new mysqli("localhost","root","","inventory")
or die("not connected".mysqli_connect_error());
if(isset($_POST['submit']{
$ItemNumber=$_POST['ItemNumber'];
$Stock=$_POST['Stock'];
$sql="insert into current stock(ItemNumber,Stock) values('$ItemNumber','$Stock')";
$query=mysqli_query($conn,$sql);
if($query){
echo"1 row inserted";
}else{
echo mysqli_error($conn);
}
}
?>
回答by Bill Karwin
Please learn to use parameter binding. You are creating code with security vulnerabilities.
请学习使用参数绑定。您正在创建具有安全漏洞的代码。
Here's how to do your code in mysqli:
以下是如何在 mysqli 中执行您的代码:
$sql = "INSERT INTO current stock (ItemNumber, Stock) VALUES (?, ?)";
if (!($stmt = mysqli_prepare($con, $sql))) {
die('Error: ' . mysqli_error($con));
}
if (!mysqli_stmt_bind_param($stmt, "ii", $_POST[ItemNumber], $_POST[Stock])) {
die('Error: ' . mysqli_stmt_error($stmt));
}
if (!mysqli_stmt_execute($stmt)) {
die('Error: ' . mysqli_stmt_error($stmt));
}
It's easier to use bound parameters than to get all confused with quotes-within-quotes.
使用绑定参数比与引号内的引号混淆更容易。
回答by Niraj
<form action="database.php" method="post">
Item Number: <input type="text" name="ItemNumber">
Stock: <input type="text" name="Stock">
<input type="submit" name="submit">
</form>`
