-1 
<?php

...........

$connection = mysqli_connect('......com', 'login', 'password', 

'dbname'); 
if (!$connection) { 
    die('Connect Error (' . mysqli_connect_errno() . ') '
            . mysqli_connect_error());
}

echo "Connection Successful";



// creating a query 
mysqli_query($connection, "INSERT INTO `users` (`userid`,`firstname`, `lastname`, `username`, `email`, 

`password`) VALUES (NULL, $firstname, $lastname, $username,$email,$password);");
mysqli_close($connection);



// printing to the screen
echo "Welcome $lastname . You have successfully logged in!";

?>

连接正常,但未插入值。如何改进我的代码?我不明白为什么这些值没有插入到数据库中。我检查了变量,它们很好。

4

3 回答 3

1

如果你没有使用准备好的语句,你需要确保你创建的 SQL 语句是完整的并且在语法上是正确的,并且只有你想要动态的部分是动态的(即避免 SQL 注入)。

mysqli_query如果您首先在变量中构建它,而不是将字符串直接传递给,您可以在调试时将其回显到屏幕以发现明显的语法错误。

在你的情况下:

$sql = "INSERT INTO `users` (`userid`,`firstname`, `lastname`, `username`, `email`, `password`) VALUES (NULL, $firstname, $lastname, $username,$email,$password);";
die(htmlspecialchars($sql));

...大概会显示这样的东西...

INSERT INTO `users` (`userid`,`firstname`, `lastname`, `username`, `email`, `password`) VALUES (NULL, john, smith, jsmith1549348, john.smith@example.com);

...这是无效的 SQL,因为字符串周围没有引号。

由于您还需要转义这些值以避免 SQL 注入,因此您最终可能会得到更多这样的结果:

$sql = "INSERT INTO `users` (`userid`,`firstname`, `lastname`, `username`, `email`, `password`) VALUES (NULL, '" . mysqli_real_escape_string($connection, $firstname) . "', '" . mysqli_real_escape_string($connection, $lastname) . "', '" . mysqli_real_escape_string($username) . "', '" . mysqli_real_escape_string($email) . "', '" . mysqli_real_escape_string($password) . "');";
mysqli_query($connection, $sql);

您可能希望在其中添加一些空格,而不是将它们全部放在一条可笑的长行上,并且可能我打错了,但希望您能理解...。

于 2013-09-20T22:11:08.087 回答
0

试试这个“INSERT INTO users( userid, firstname, lastname, username, email,

password) VALUES (NULL, '$firstname', '$lastname', '$username','$email','$password');"

于 2013-09-20T22:00:41.800 回答
0

使用包装器 mysqli::query() 进行防御注入并使用占位符

<? class db{
private static $_instance;
private $db;
public function q(){return $this->db->query($this->make(func_get_args()));}
public function __get($property){return $this->db->$property;}
public function __call($method,$args){return call_user_func_array(array($this-   >db,$method),$args);}

public function qr(){
  $q = $this->make(func_get_args());
  echo $q;
  return $this->db->query($q);
}

public static function getInstance($conf){
  if(null===self::$_instance){
    self::$_instance = new self($conf);
  }
  return self::$_instance;
}

private function make($args){
  $tmpl =& $args[0];
  $tmpl = str_replace("%","%%",$tmpl);
  $tmpl = str_replace("?","%s",$tmpl);

  foreach($args as $i=>$v){
    if($i && !is_int($v)){
      $args[$i] = "'".$this->db->real_escape_string($v)."'";
    }
  }

  for($i=$c=count($args)-1; $i<$c+20; $i++)
    $args[$i+1] = "UNKNOWN_PLACEHOLDER_$i";
  return call_user_func_array("sprintf", $args);
}

private function __construct($conf){
  $this->db = new  mysqli($conf['mysql_host'],$conf['mysql_user'],$conf['mysql_pass'],$conf['mysql_db']);
  }

private function __clone(){
}
}

$mysql = db::getInstance([
'mysql_host' => '...',
'mysql_user' => '...',
'mysql_pass' => '...',
'mysql_db' => '...'
]);


$mysql->q('INSERT INTO `user` SET `first_name`=?,`last_name`=?',$f_name,$l_name);
于 2013-09-20T23:03:20.170 回答