出于某种原因,我的广告功能有点问题。嗯,每次我按下添加表单上的提交按钮时,我都会用简单的英文收到这个错误..
您的 SQL 语法有错误;检查与您的 MySQL 服务器版本相对应的手册,以在“此处的内容,此处的内容”附近使用正确的语法,使其看起来像可读的英语。许多桌面 ' 在第 2 行
现在我并没有完全说 mysql,所以这对我来说只是个笑话。我想知道你们中的任何人是否可以为我理解它。有问题的代码以 ** 突出显示并以 ** 结尾。此外,所有 strtolower/htmlentities/strip_tags 都是我第一次尝试防止 sql 注入和 xss。对此的任何帮助也会很酷。提前致谢。
$error = array();
//revalidate form in case javascript is disabled
if(isset($_POST['add'])){
$title = strtolower(htmlentities(strip_tags($_POST['title'])));
$price = strtolower(htmlentities(strip_tags($_POST['price'])));
$location = strtolower(htmlentities(strip_tags($_POST['location'])));
$cat = strtolower(htmlentities(strip_tags($_POST['list_one'])));
$sub = strtolower(htmlentities(strip_tags($_POST['list_two'])));
$description = htmlentities(strip_tags($_POST['description']));
$email = strtolower(htmlentities(strip_tags($_POST['email'])));
$password = strtolower(htmlentities(strip_tags($_POST['password'])));
if(empty($title) || empty($price) || empty($location) || strcmp($cat,'none') == 0
|| strcmp($sub,'none') == 0 || empty($description) || empty($email) || empty ($password)){
$error[] = 'Please fill in the form!';
}else if(!is_numeric($price)){
$error[] = 'Price must be numeric!';
}else if(!preg_match('/^[a-zA-Z0-9_]+$/', $title)){
$error[] = 'Title must be alphanumeric!';
}else if(!preg_match('/^[a-zA-Z]+$/', $location)){
$error[] = 'Location must be characters only!';
}else if(strlen($location) > 17){
$error[] = 'Your location may not be more than 17 characters!';
}else if(!preg_match('/^([A-Za-z0-9_\-\.])+\@([A-Za-z0-9_\-\.])+\.([A-Za-z]{2,4})$/',$email)){
$error[] = 'Your email is not in the correct format!';
}else if(strlen($password) < 6){
$error[] = 'Your password must be atleast 6 characters long!';
}else{
//no errors. check email and password match
$hashPass = md5($password);
$query_user = mysql_query("SELECT * FROM users WHERE email='$email'") or die(mysql_error());
if(mysql_num_rows($query_user) != 0){
while($row = mysql_fetch_array($query_user)){
$user_id = $row['id'];
$pass = $row['password'];
}
if(strcmp($hashPass,$pass) == 0){
**$insert_ad = mysql_query("INSERT INTO ads(id,user_id,title,price,location,category,sub_category,description,dateCreated)
VALUES('','$user_id','$title','$price','$location','$cat','$sub','$description',CURRENT_DATE())") or die(mysql_error());**
}else{
$error[] = 'Your password didn\'t match the password in our system';
}
}else{
$insert_user = mysql_query("INSERT INTO users(id, email, password, vote_count) VALUES ('','$email','$hashPass', 0)") or die(mysql_error());
$user_id = mysql_insert_id();
**$insert_ad = mysql_query("INSERT INTO ads(id,user_id,title,price,location,category,sub_category,description, dateCreated)
VALUES ('', '$user_id', '$title', '$price', '$location', '$cat', '$sub', '$description', CURRENT_DATE())") or die(mysql_error());**
}
}
if(!empty($error)){
foreach($error as $key => $values){
$error_message = "$values";
}
header('Location: add.php?error_with_add'.urlencode($error_message));
exit();
}
}
?>