嘿什么事情每个人......我在这个剧本上遇到了很多麻烦。我想这是标准的PHP MYSQLI的东西。它一直在工作,直到我尝试添加mysqli_real_escape字符串部分。有什么想法吗?
<?php
require_once 'connect.php';
$name = ($_POST['name']);
$address = ($_POST['address']);
$city = ($_POST['city']);
$state = ($_POST['state']);
$zip = ($_POST['zip']);
$persons = ($_POST['persons']);
$damages = ($_POST['damages']);
$complaint = ($_POST['complaint']);
$safename = mysqli_real_escape_string($connection, $name);
$safeaddress = mysqli_real_escape_string($connection, $address);
$safecity = mysqli_real_escape_string($connection, $city);
$safestate = mysqli_real_escape_string($connection, $state);
$safezip = mysqli_real_escape_string($connection, $zip);
$safedate = mysqli_real_escape_string($connection, $date);
$safepersons = mysqli_real_escape_string($connection, $persons);
$safedamages = mysqli_real_escape_string($connection, $damages);
$safecomplaint = mysqli_real_escape_string($connection, $complaint);
$query = "INSERT INTO blacklisted
(
name,
address,
city,
state,
zip,
date,
persons,
damages,
complaint
)
VALUES
(
".$safename.",
".$safeaddress.",
".$safecity.",
".$safestate.",
".$safezip.",
".$safedate.",
".$safepersons.",
".$safedamage.",
".$safecomplaint."
)";
$result = mysqli_query($connection, $query);
mysqli_free_result($result);
mysqli_close($connection);
?>
我觉得一切都会好起来但我现在很困惑。
答案 0 :(得分:1)
必须引用SQL查询中的字符串值。您只是转义数据并将它们转储到字符串中。 (我不明白为什么你要连接所有字符串而不是使用变量插值)。
无论如何,您不应该将用户输入混合到SQL字符串中。使用prepared statements。