0

下面的回声语句,

$statement = "INSERT INTO $tbl_name VALUES(" . $_GET['username'] . "," . $_GET['password'] . "," . $_GET['PasswordHintQuestion'] . "," . $_GET['PasswordHintAnswer'] . "," . $_GET['firstname'] . "," . $_GET['lastname'] . "," . $_GET['genderSelect'] . "," . $_GET['date_in_format'] . "," . $_GET['nationality'] . "," . $_GET['refEmail'] . ")" ;   
echo $statement;

给出的输出为,

INSERT INTO ge_user_table VALUES([object HTMLInputElement],[object HTMLInputElement],[object HTMLInputElement],[object HTMLInputElement],[object HTMLInputElement],[object HTMLInputElement],[object NodeList],[object HTMLSelectElement]/[object HTMLSelectElement]/[object HTMLSelectElement],[object HTMLInputElement],[object HTMLInputElement])Database Insertion fault on registration

但是在插入数据库期间,我得到了错误,

您的 SQL 语法有错误;检查与您的 MySQL 服务器版本相对应的手册,以在第 1 行的 '[object HTMLInputElement],[object HTMLInputElement],[object HTMLInputElement],[o' 附近使用正确的语法

但是,下面的查询工作正常。

INSERT INTO ge_user_table VALUES('Muthu2','1234','Who are you?','Iam Indian','Muthu','Ganapathy','MALE','1991-12-21','Indian','abc@abc.com');

编辑: 我已将代码更改为,

  $username     = mysql_escape_string($_GET['username']);
  $password     = mysql_escape_string($_GET['password']);
  $hintQues     = mysql_escape_string($_GET['PasswordHintQuestion']);
  $hintAns      = mysql_escape_string($_GET['PasswordHintAnswer']);
  $firstname    = mysql_escape_string($_GET['firstname']);
  $hintQues     = mysql_escape_string($_GET['lastname']);
  $gender       = mysql_escape_string($_GET['genderSelect']);
  $date         = mysql_escape_string($_GET['date_in_format']) ;
  $nationality  = mysql_escape_string($_GET['nationality']) ;
  $email        = mysql_escape_string($_GET['refEmail']) ;



    $statement = "INSERT INTO $tbl_name VALUES('$username' ,'$password','$hintQues' ,'$hintAns','$firstname' ,'$lastname' ,".
               "'$gender' ,'$date','$nationality','$email')" ;

但是,数据库的条目为, 在此处输入图像描述

最终解决方案:我在 html 中传递了 form.username 而不是 form.username.value。现在明白了。

4

3 回答 3

2

看起来你在 javascript 中有错误。您发送 html DOM 节点而不是值。

你也应该逃避你的 get 变量,比如

mysql_real_escape_string($_GET['username']);
于 2013-03-13T09:16:40.590 回答
1

尝试这个

  $username     = mysql_escape_string($_GET['username']);
  $password     = mysql_escape_string($_GET['password']);
  $hintQues     = mysql_escape_string($_GET['PasswordHintQuestion']);
  $hintAns      = mysql_escape_string($_GET['PasswordHintAnswer']);
  $firstname    = mysql_escape_string($_GET['firstname']);
  $hintQues     = mysql_escape_string($_GET['lastname']);
  $gender       = mysql_escape_string($_GET['genderSelect']);
  $date         = mysql_escape_string($_GET['date_in_format']) ;
  $nationality  = mysql_escape_string($_GET['nationality']) ;
  $email        = mysql_escape_string($_GET['refEmail']) ;



  $statement = "INSERT INTO $tbl_name VALUES('$username' ,'$password','$hintQues' ,'$hintAns','$firstname' ,'$lastname' ,".
               "'$gender' ,'$date','$nationality','$email')" ;   

  echo $statement;

始终尽量保持语句的可读性..无论何时需要插入字符串..它应该被正确引用也总是使用 mysql_escape_string() 以避免 sql 注入。

  • 可能的问题可能是..您传递的是 html 元素本身而不是它的值
于 2013-03-13T09:30:52.727 回答
0

Your sql syntax is wrong you can use mysql_real_escape_string but you also need to care about how you are passing values to sql.

In above query you symply passed text without quotes.

$statement = "INSERT INTO $tbl_name VALUES('".$_GET['username']."', '".$_GET['password']."', '".$_GET['PasswordHintQuestion']."', '".$_GET['PasswordHintAnswer']."', '".$_GET['firstname']."', '".$_GET['lastname']."', '".$_GET['genderSelect']."', '".$_GET['date_in_format']."', '".$_GET['nationality']."', '".$_GET['refEmail']."')" ;
于 2013-03-13T09:26:59.737 回答