0 
$sql = "INSERT INTO $table_name VALUES
('$_POST[firstname]', '$_POST[lastname]', '$_POST[username]', password('$_POST[password]'), 'Users', '', '', '$pchange', 
'$_POST[email]', '$default_url', '$verify', '', 0, '', 0)";

$result = @mysql_query($sql,$connection) or die(mysql_error());

$sql、$connection 和 $table_name 都是有效的,并且以前在脚本和数据库中使用过,这就是我的数据库的样子:

firstname   varchar(20) latin1_swedish_ci       Yes NULL          Change      Drop   More 
lastname    varchar(20) latin1_swedish_ci       Yes NULL          Change      Drop   More 
username    varchar(20) latin1_swedish_ci       Yes NULL          Change      Drop   More 
password    varchar(50) latin1_swedish_ci       Yes NULL          Change      Drop   More 
group1      varchar(20) latin1_swedish_ci       Yes NULL          Change      Drop   More 
group2      varchar(20) latin1_swedish_ci       Yes NULL          Change      Drop   More 
group3      varchar(20) latin1_swedish_ci       Yes NULL          Change      Drop   More 
pchange     varchar(1)  latin1_swedish_ci       Yes NULL          Change      Drop   More 
email       varchar(100)latin1_swedish_ci       Yes NULL          Change      Drop   More 
redirect    varchar(100)latin1_swedish_ci       Yes NULL          Change      Drop   More 
verified    varchar(1)  latin1_swedish_ci       Yes NULL          Change      Drop   More 
last_login  date                                Yes NULL          Change      Drop   More 
balance     double      UNSIGNED                Yes 0             Change      Drop   More 
address     varchar(60) latin1_swedish_ci       Yes NULL          Change      Drop   More 
lostbalance double                              Yes 0             Change      Drop   More

提前致谢。

4

3 回答 3

4

因为@没有错误:

@mysql_query($sql,$connection) or die(mysql_error());

@ 抑制来自 mysql_query() 函数的错误。

我在您的陈述中看到多个错误:

  1. '$_POST[firstname]'- 应该是$_POST['firstname']。将值存储在变量中或使用连接:"'.$_POST['firstname'].'"

  2. 采用mysql_query($sql) or die(mysql_error());

  3. 转义您存储在数据库中的所有数据。

于 2012-05-10T13:38:04.910 回答
1

首先,不过滤任何用户输入不是好的安全做法,因为很快您将成为 SQL 注入和/或 XSS 攻击的受害者。您应该以这种方式过滤用户输入:

$var = filter_var($_POST['var']), FILTER_SANITIZE_STRING);

然后你应该$var在你的 SQL 查询中使用它,而不是直接使用$_POST['var'].ie:

$sql = "INSERT INTO $table_name VALUES
('$firstname', '$lastname', '$username', password('$password'), 'Users', '', '', '$pchange', 
'$email', '$default_url', '$verify', '', 0, '', 0)";
于 2012-05-10T13:40:30.837 回答
-2

您必须在“VALUES”前面命名表列

INSERT INTO $table_name (field_1, field2, ...) VALUES ($_POST_1, ...)
于 2012-05-10T13:37:01.833 回答