-2

出于某种原因,我的广告功能有点问题。嗯,每次我按下添加表单上的提交按钮时,我都会用简单的英文收到这个错误..

您的 SQL 语法有错误;检查与您的 MySQL 服务器版本相对应的手册,以在“此处的内容,此处的内容”附近使用正确的语法,使其看起来像可读的英语。许多桌面 ' 在第 2 行

现在我并没有完全说 mysql,所以这对我来说只是个笑话。我想知道你们中的任何人是否可以为我理解它。有问题的代码以 ** 突出显示并以 ** 结尾。此外,所有 strtolower/htmlentities/strip_tags 都是我第一次尝试防止 sql 注入和 xss。对此的任何帮助也会很酷。提前致谢。 

    $error = array();

//revalidate form in case javascript is disabled
if(isset($_POST['add'])){
    $title = strtolower(htmlentities(strip_tags($_POST['title'])));
    $price = strtolower(htmlentities(strip_tags($_POST['price'])));
    $location = strtolower(htmlentities(strip_tags($_POST['location'])));
    $cat = strtolower(htmlentities(strip_tags($_POST['list_one'])));
    $sub = strtolower(htmlentities(strip_tags($_POST['list_two'])));
    $description = htmlentities(strip_tags($_POST['description']));
    $email = strtolower(htmlentities(strip_tags($_POST['email'])));
    $password = strtolower(htmlentities(strip_tags($_POST['password'])));

    if(empty($title) || empty($price) || empty($location) || strcmp($cat,'none') == 0 
        || strcmp($sub,'none') == 0 || empty($description) || empty($email) || empty ($password)){
        $error[] = 'Please fill in the form!';
    }else if(!is_numeric($price)){
        $error[] = 'Price must be numeric!';
    }else if(!preg_match('/^[a-zA-Z0-9_]+$/', $title)){
        $error[] = 'Title must be alphanumeric!';
    }else if(!preg_match('/^[a-zA-Z]+$/', $location)){
        $error[] = 'Location must be characters only!';
    }else if(strlen($location) > 17){
        $error[] = 'Your location may not be more than 17 characters!';
    }else if(!preg_match('/^([A-Za-z0-9_\-\.])+\@([A-Za-z0-9_\-\.])+\.([A-Za-z]{2,4})$/',$email)){
        $error[] = 'Your email is not in the correct format!';
    }else if(strlen($password) < 6){
        $error[] = 'Your password must be atleast 6 characters long!';
    }else{
                //no errors. check email and password match

        $hashPass = md5($password);

        $query_user = mysql_query("SELECT * FROM users WHERE email='$email'") or die(mysql_error());

        if(mysql_num_rows($query_user) != 0){
            while($row = mysql_fetch_array($query_user)){
                $user_id = $row['id'];
                $pass = $row['password'];
            }

            if(strcmp($hashPass,$pass) == 0){
                **$insert_ad = mysql_query("INSERT INTO ads(id,user_id,title,price,location,category,sub_category,description,dateCreated)
                    VALUES('','$user_id','$title','$price','$location','$cat','$sub','$description',CURRENT_DATE())") or die(mysql_error());**
            }else{
                $error[] = 'Your password didn\'t match the password in our system';
            }
        }else{
            $insert_user = mysql_query("INSERT INTO users(id, email, password, vote_count) VALUES ('','$email','$hashPass', 0)") or die(mysql_error());
            $user_id = mysql_insert_id();
            **$insert_ad = mysql_query("INSERT INTO ads(id,user_id,title,price,location,category,sub_category,description, dateCreated)
                    VALUES ('', '$user_id', '$title', '$price', '$location', '$cat', '$sub', '$description', CURRENT_DATE())") or die(mysql_error());**
        }
    }

    if(!empty($error)){
        foreach($error as $key => $values){
            $error_message = "$values";
        }
        header('Location: add.php?error_with_add'.urlencode($error_message));
        exit();
    }
}

?>
4

1 回答 1

0

您收到该错误的主要原因是您没有转义引号。例如,如果没有转义,这就是它的样子:

$query = "INSERT INTO foo (something) VALUES ('I'm really interested in coding here.')";

请注意单引号是如何在 I 后面结束的。

但是,当您使用 、或 MySQLi 或 PDO 转义该值时mysql_real_escape_string,它会变成这样:

$query = "INSERT INTO foo (something) VALUES ('I\'m really interested in coding here.')";

而且,没有显示错误,因为引号被转义了。

于 2013-04-22T23:56:25.363 回答