$sql = "INSERT INTO $table_name VALUES
('$_POST[firstname]', '$_POST[lastname]', '$_POST[username]', password('$_POST[password]'), 'Users', '', '', '$pchange',
'$_POST[email]', '$default_url', '$verify', '', 0, '', 0)";
$result = @mysql_query($sql,$connection) or die(mysql_error());
$ sql,$ connection和$ table_name都是有效的,以前在脚本和数据库中使用过,这就是我的数据库的样子:
firstname varchar(20) latin1_swedish_ci Yes NULL Change Drop More
lastname varchar(20) latin1_swedish_ci Yes NULL Change Drop More
username varchar(20) latin1_swedish_ci Yes NULL Change Drop More
password varchar(50) latin1_swedish_ci Yes NULL Change Drop More
group1 varchar(20) latin1_swedish_ci Yes NULL Change Drop More
group2 varchar(20) latin1_swedish_ci Yes NULL Change Drop More
group3 varchar(20) latin1_swedish_ci Yes NULL Change Drop More
pchange varchar(1) latin1_swedish_ci Yes NULL Change Drop More
email varchar(100)latin1_swedish_ci Yes NULL Change Drop More
redirect varchar(100)latin1_swedish_ci Yes NULL Change Drop More
verified varchar(1) latin1_swedish_ci Yes NULL Change Drop More
last_login date Yes NULL Change Drop More
balance double UNSIGNED Yes 0 Change Drop More
address varchar(60) latin1_swedish_ci Yes NULL Change Drop More
lostbalance double Yes 0 Change Drop More
提前致谢。
答案 0 :(得分:4)
因为@:
没有错误@mysql_query($sql,$connection) or die(mysql_error());
@抑制了mysql_query()函数的错误。
我在你的陈述中看到多个错误:
'$_POST[firstname]' - 被假定为$_POST['firstname']。将值存储在变量中或使用连接:"'.$_POST['firstname'].'"
使用mysql_query($sql) or die(mysql_error());
转义存储在数据库中的所有数据。
答案 1 :(得分:1)
首先,保留未经过滤的任何用户输入并不是一种好的安全措施,因为很快你就会成为SQL注入和/或XSS攻击的受害者。您应该以这种方式过滤用户输入:
$var = filter_var($_POST['var']), FILTER_SANITIZE_STRING);
然后你应该在SQL查询中使用这个$var,而不是直接使用$_POST['var'].,即:
$sql = "INSERT INTO $table_name VALUES
('$firstname', '$lastname', '$username', password('$password'), 'Users', '', '', '$pchange',
'$email', '$default_url', '$verify', '', 0, '', 0)";
答案 2 :(得分:-2)
您必须在“VALUES”
前面命名表格列INSERT INTO $table_name (field_1, field2, ...) VALUES ($_POST_1, ...)