我在使用数据库将数据从表单插入数据库时遇到了一些问题。我收到了一个ENCAPSED STRING错误,但我似乎无法找到错误信息。任何人都可以告诉我字符串出错的地方吗?
$insert = "INSERT INTO `$user_table`(`user_id`, `first_name`, `last_name`, `password`, `email`, `program`, `role`, `logged_in`, `registered`) VALUES('" .$p_num ."', '" .$first_name ."', '" .$last_name ."', '" .$password ."', '" .$email ."', '" .$program ."', '" .$role "', '" .$logged_in ."', '" .$registered ."')";
更改
$insert = "INSERT INTO '" .$user_table ."'(`user_id`, `first_name`, `last_name`, `password`, `email`, `program`, `role`, `logged_in`, `registered`) VALUES('" .$p_num ."', '" .$first_name ."', '" .$last_name ."', '" .$password ."', '" .$email ."', '" .$program ."', '" .$role ."', '" .$logged_in ."', '" .$registered ."')";
现在我不再收到错误(感谢大家),但数据没有输入数据库,我没有收到任何错误。这是完整的脚本。
if($_SERVER["REQUEST_METHOD"] == "POST"){
$p_num = $_POST["p_number"];
$first_name = $_POST["first_name"];
$last_name = $_POST["last_name"];
$email = $_POST["email"];
$password = $_POST["pw"];
$verify_password = $_POST["pw_verify"];
$program = $_POST["program"];
$role = $_POST["role"];
$logged_in = 0;
$registered = 0;
$query = "SELECT * FROM `$user_table` WHERE `user_id` = '$p_num'";
$result = mysqli_query($connect, $query);
while($row = mysqli_fetch_assoc($result)){
$user_id = "{$row['user_id']}";
if($user_id == $p_num){
echo "User already exists.";
}
else{
$registered = 1;
$insert = "INSERT INTO '" .$user_table ."'(`user_id`, `first_name`, `last_name`, `password`, `email`, `program`, `role`, `logged_in`, `registered`) VALUES('" .$p_num ."', '" .$first_name ."', '" .$last_name ."', '" .$password ."', '" .$email ."', '" .$program ."', '" .$role ."', '" .$logged_in ."', '" .$registered ."')";
$success = mysqli_query($connect, $insert);
if($success){
echo "Done";
}
else{
echo "Error";
}
}
}
}
答案 0 :(得分:0)
好的,因为其他答案宽对SQL注入开放,我会把答案放到帽子里......尝试这样的事情
$SQL = "INSERT INTO `".$user_table."`(`user_id`, `first_name`, `last_name`, `password`, `email`, `program`, `role`, `logged_in`, `registered`) VALUES(?,?,?,?,?,?,?,?,?)";
$MySQLI = new mysqli($connect);
$Statement = $MySQLI->prepare($SQL);
$Statement->bind_param("sssssssss", $p_num, $first_name, $last_name, $password, $email, $program, $role, $logged_in, $registered);
$Statement->execute();
printf("Error: %s.\n", $Statement->error);
答案 1 :(得分:0)
我实际上是自己想出来的。在while循环中显然存在冲突,因为它是基于SELECT语句进行连接的。这是解决方案。
$insert = "INSERT INTO `$user_table`(`user_id`, `first_name`, `last_name`, `password`, `email`, `program`, `role`, `logged_in`, `registered`) VALUES('" .$p_num ."', '" .$first_name ."', '" .$last_name ."', '" .$password ."', '" .$email ."', '" .$program ."', '" .$role ."', '" .$logged_in ."', '" .$registered ."')";
$success = mysqli_query($connect, $insert);
if($success){
$registered = 1;
mysqli_query($connect, "UPDATE `$user_table` SET `registered` = 1 WHERE `user_id` = '$p_num'");
echo "Done";
}
else{
$registered = 0;
echo "This user already exists.";
}
对于记录,是的,我知道这很容易受到SQL注入的影响,但这仍然是有效的(包括安全问题),它不是实时的,它不在生产中。
答案 2 :(得分:-1)
你应该改变这个:
$insert = "INSERT INTO `$user_table`(`user_id`, `first_name`, `last_name`, `password`, `email`, `program`, `role`, `logged_in`, `registered`) VALUES('" .$p_num ."', '" .$first_name ."', '" .$last_name ."', '" .$password ."', '" .$email ."', '" .$program ."', '" .$role "', '" .$logged_in ."', '" .$registered ."')";
到此:
$insert = "INSERT INTO `".$user_table."`(`user_id`, `first_name`, `last_name`, `password`, `email`, `program`, `role`, `logged_in`, `registered`) VALUES('" .$p_num ."', '" .$first_name ."', '" .$last_name ."', '" .$password ."', '" .$email ."', '" .$program ."', '" .$role "', '" .$logged_in ."', '" .$registered ."')";
也改变了这个:
'" .$p_num ."'
为此(删除简单引号):
". $p_num ."
答案 3 :(得分:-1)
如果您没有时间编写无错误的SQL语句,只需使用PHPmyadmin插入数据,然后复制phpmyadmin生成的SQL语句,然后使用您的php文件中的变量编辑值。