-3

我发现了一些 php 代码有问题。该页面连接到 MySQL 数据库,列出记录并提供用于删除记录的按钮以及用于输入新记录的表单。列表和删除工作正常,但是当我去添加新记录时,它会出现以下错误

“插入失败:插入产品值('3',测试名称','测试名称','66','0','77',>'0','测试描述','测试描述esp', 'test notes')您的 SQL 语法有错误;请查看与您的 MySQL 服务器>版本相对应的手册,以了解在 'name'、'test nombre'、'66'、'0'、' 附近使用的正确语法77', '0', 'Test >descript', 'Test descript esp'' 在第 1 行"

我检查了拼写错误,但找不到任何东西-希望有人能发现我做错了什么并指出我正确的方向。谢谢。这是PHP代码:

<?php
$pageTitle = "MIS Dashboard";
 include ('includes/header.php'); ?>

<div class="wrapper">

<?php // productsadmin.php


require_once 'includes/login.php';
$db_server = mysql_connect($db_hostname, $db_username, $db_password);

if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());

mysql_select_db($db_database, $db_server)
    or die("Unable to select database: " . mysql_error());

if (isset($_POST['delete']) && isset($_POST['product_id']))
{
    $product_id  = get_post('product_id');
    $query = "DELETE FROM products WHERE product_id='$product_id'";

    if (!mysql_query($query, $db_server))   
        echo "DELETE failed: $query<br />" .
        mysql_error() . "<br /><br />";
}

if (isset($_POST['product_id']) &&
    isset($_POST['name_eng']) &&
    isset($_POST['name_esp']) &&
    isset($_POST['netprice_bob']) &&
    isset($_POST['netprice_usd']) &&
    isset($_POST['sellingprice_bob']) &&
    isset($_POST['sellingprice_usd']) &&
    isset($_POST['description_eng']) &&
    isset($_POST['description_esp']) &&
    isset($_POST['notes']))
{
    $product_id    = get_post('product_id');
    $name_eng   = get_post('name_eng');
    $name_esp    = get_post('name_esp');
    $netprice_bob = get_post('netprice_bob');
    $netprice_usd     = get_post('netprice_usd');
    $sellingprice_bob = get_post('sellingprice_bob');
    $sellingprice_usd     = get_post('sellingprice_usd');
    $description_eng   = get_post('description_eng');
    $description_esp    = get_post('description_esp');
    $notes   = get_post('notes');

    $query = "INSERT INTO products VALUES" .
        "('$product_id', $name_eng', '$name_esp', '$netprice_bob', '$netprice_usd', '$sellingprice_bob', '$sellingprice_usd', '$description_eng', '$description_esp', '$notes')";

    if (!mysql_query($query, $db_server))
        echo "INSERT failed: $query<br />" .
        mysql_error() . "<br /><br />";
}

echo <<<_END
<form action="productsadmin.php" method="post"><pre>

  Product ID:       <input type="text" name="product_id" />
  Name:         <input type="text" name="name_eng" />
  Nombre:       <input type="text" name="name_esp" />
  Net Price BOB:    <input type="text" name="netprice_bob" />
  Net Price USD:    <input type="text" name="netprice_usd" />
  Selling Price BOB:    <input type="text" name="sellingprice_bob" />
  Selling Price USD:    <input type="text" name="sellingprice_usd" />
  Description :     <input type="text" name="description_eng" />
  Descripcion :     <input type="text" name="description_esp" />
  Notes :       <input type="text" name="notes" />

            <input type="submit" value="ADD RECORD" />
</pre></form>
_END;

$query = "SELECT * FROM products";
$result = mysql_query($query);

if (!$result) die ("Database access failed: " . mysql_error());
$rows = mysql_num_rows($result);

for ($j = 0 ; $j < $rows ; ++$j)
{
    $row = mysql_fetch_row($result);
    echo <<<_END
<pre>
  Product ID:       $row[0]
  Name:             $row[1]
  Nombre:           $row[2]
  Net Price BOB:    $row[3]
  Net Price USD:    $row[4]
  Selling Price BOB: $row[5]
  Selling Price USD: $row[6]
  Description:       $row[7]
  Descripcion:      $row[8]
  Notes:            $row[9]

</pre>
<form action="productsadmin.php" method="post">
<input type="hidden" name="delete" value="yes" />
<input type="hidden" name="product_id" value="$row[0]" />
        <input type="submit" value="DELETE RECORD" /></form>
_END;
}

mysql_close($db_server);

function get_post($var)
{
    return mysql_real_escape_string($_POST[$var]);
}
?>


</div>

<?php include ('includes/footer.php'); ?>
4

2 回答 2

3

您在第二个值上缺少单引号,

INSERT INTO products VALUES('3', 'test name', 'test nombre', ...)
                              -- ^ here: add single quote

您还需要在将值插入数据库之前对其进行清理。我建议您使用PDOMYSQLi扩展来防止SQL Injection.

于 2013-05-10T17:07:37.233 回答
0
INSERT failed: INSERT INTO products VALUES('3', test name', 'test nombre', '66', '0', '77', >'0', 'Test descript', 'Test descript esp', 'test notes').

有两个问题。第二个值没有起始单引号,七个值>'0'

于 2013-05-10T17:12:22.710 回答