0

我在以下代码中有语法错误,但我找不到它:

$tableSelect = $_POST["tableSelect"];
$companyName = $_POST["companyName"];
$telephone = $_POST["telephone"];
$fax = $_POST["fax"];
$email = $_POST["email"];
$address = $_POST["address"];
$postcode = $_POST["postcode"];
$category = $_POST["category"];
$contact = $_POST["contact"];
$contactTel = $_POST["contactTel"];
$contactEmail = $_POST["contactEmail"];
$sql = "INSERT INTO '" . $tableSelect . "' ('" . $companyName . "', '" . $telephone . "', '"
    . $fax . "', '" . $email . "', '" . $address . "','" . $postcode . "', '" . $category . "',
    '" . $contact . "', '" . $contactTel . "', '" . $contactEmail . "')";
mysqli_query($con,$sql);
if (!mysqli_query($con,$sql)) {
    die('Error: ' . mysqli_error($con));
}

干杯!

编辑:我已将代码修改为:

$sql = "INSERT INTO `" . $tableSelect . "` (name, telephone, fax, email, address, postcode, category,
    contact, contactTel, contactEmail) VALUES (`" . $companyName . "`, `" . $telephone . "`, `"
    . $fax . "`, `" . $email . "`, `" . $address . "`,`" . $postcode . "`, `" . $category . "`,
    `" . $contact . "`, `" . $contactTel . "`, `" . $contactEmail . "`)";

现在出现错误“错误:'字段列表'中的未知列 [companyName]”,其中 [companyName] 是通过表单提交的值。但我肯定已经将该列定义为“名称”吗?

编辑2:谢谢,我现在知道注射问题。我想让它工作,然后我会将其更改为使用准备好的语句。

4

6 回答 6

2

您需要values声明或select声明:

"INSERT INTO '" . $tableSelect . "' VALUES ('" . $companyName . "', '" . $telephone . "', '"
. $fax . "', '" . $email . "', '" . $address . "','" . $postcode . "', '" . $category . "',
'" . $contact . "', '" . $contactTel . "', '" . $contactEmail . "')";

但是,我还建议您在insert语句中包含列名:

"INSERT INTO '" . $tableSelect ."(companyname, telephone, fax, email, address, postcode, category, contact, contactTel, contactEmail) ".
  "' VALUES ('" . $companyName . "', '" . $telephone . "', '"
. $fax . "', '" . $email . "', '" . $address . "','" . $postcode . "', '" . $category . "',
'" . $contact . "', '" . $contactTel . "', '" . $contactEmail . "')";

我不确定这些名称是否正确。

于 2013-09-06T11:12:09.790 回答
1

引用表名时使用反引号:` 而不是直引号:

代替:

'" . $companyName . "'

这:

`" . $companyName . "`

使用准备好的语句而不是直接将变量放入查询中。并检查表名称是否正确,因为现在您可以接受 SQL 注入。

如何防止 PHP 中的 SQL 注入?

于 2013-09-06T11:12:08.850 回答
1

请检查插入查询语法

您在程序中缺少

请遵循以下语法:

INSERT INTO table_name (column1, column2, column3,...)
VALUES (value1, value2, value3,...)
于 2013-09-06T11:15:20.880 回答
1

忽略注入问题...

$sql = "
INSERT INTO $tableSelect 
(name
,telephone
,fax
,email
,address
,postcode
,category
,contact
,contactTel
,contactEmail
) VALUES 
('$companyName'
,'$telephone'
,'$fax'
,'$email'
,'$address'
,'$postcode'
,'$category'
,'$contact'
,'$contactTel'
,'$contactEmail'
);
";

顺便说一下,在我(有限的)经验中,调用变量(例如'$companyName')和列(例如name)两个(稍微)不同的东西的做法会变得非常混乱。

于 2013-09-06T12:21:51.957 回答
0

尝试这样的查询

$query="insert into abc (a,b,c) values ('a','b','c')

and first check your all variables using isset()
于 2013-09-06T11:10:24.063 回答
0

请尝试以下查询:

$sql = "INSERT INTO $tableSelect ('" . $companyName."', '".$telephone."',
'".$fax."', '".$email."', '".$address."', '".$postcode."', '".$category."',
'".$contact."', '".$contactTel."', '".$contactEmail."')";

如果仍然出现错误,那么您应该使用 mysql_real_escape_string() 函数。
数据可能包含特殊字符。

于 2013-09-06T11:16:50.500 回答