duanmu6752 2015-10-03 23:57 采纳率: 0%
浏览 61
已采纳

参数值导致错误[重复]

This question already has an answer here:

I've created a function to insert data different from displaying data. Then I get an error. Unknown column '$prod_name' in 'field list'. Please tell me any right suggestions because im a beginner in pdo. thanks

here is my code:

<?php
    function run_db($sqlcom){
        $con = new PDO('mysql:host=localhost; dbname=product', 'root', '');
        $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        $stmt = $con->prepare($sqlcom);
        $stmt->execute();
        return $stmt;
    }

    function insertData($sqlcom)
    {
        $con = new PDO('mysql:host=localhost; dbname=product', 'root', '');
        $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        $stmt = $con->prepare($sqlcom);
        $stmt->execute();
        return $stmt;
    }



    if(isset($_POST['btn-insert'])){

        $prodname = $_POST['prod_name'];
        $prodsupp = $_POST['prod_supplier'];
        $prodprice = $_POST['prod_price'];

        try{
            $stmt = insertData('INSERT INTO tbl_product(prod_name, prod_supplier, prod_price)VALUES($prodname, $prodsupp, $prodprice)');
        }catch(Exception $e){
            die('error : ' . $e->getMessage());
        }
    }
?>
<html>
    <head><title></title></head>
    <body>
            <table cellpadding="4" cellspacing="2" border='1'>
                <tr>
                    <th>Product ID</th>
                    <th>Product NAME</th>
                    <th>Product SUPPLIER</th>
                    <th>Product PRICE</th>
                </tr>
                <?php $stmt = run_db('SELECT * FROM tbl_product'); while($product = $stmt->fetch(PDO::FETCH_OBJ)) { ?>
                <tr>
                    <td><?php echo $product->prod_id; ?></td>
                    <td><?php echo $product->prod_name; ?></td>
                    <td><?php echo $product->prod_supplier; ?></td>
                    <td><?php echo $product->prod_price; ?></td>
                </tr>
                <?php } ?>
            </table>
            <br>
            <br>

            <form action="" method="post">
                <table cellspacing="2" cellpadding="2" border="1">
                    <tr>
                        <td>Product name:</td>
                        <td><input type="text" name="prod_name"></td>
                    </tr>
                    <tr>
                        <td>Product supplier:</td>
                        <td><input type="text" name="prod_supplier"></td>
                    </tr>
                    <tr>
                        <td>Product Price:</td>
                        <td><input type="text" name="prod_price"></td>
                    </tr>
                    <tr>
                        <td colspan="2"><input type="submit" name="btn-insert" value="INSERT"></td>
                    </tr>
                </table>
            </form>

    </body>
</html>

</div>
  • 写回答

1条回答 默认 最新

  • doumo2501 2015-10-04 00:01
    关注

    String literals in SQL are denoted by single quotes ('s). Without them, a bareword is interpreted as an object (column, in this case) name, and the query fails when such an object doesn't exist.

    To solve this issue, you could surround your inserted values with quotes:

    $stmt = insertData("INSERT INTO tbl_product(prod_name, prod_supplier, prod_price)VALUES('$prodname', '$prodsupp', '$prodprice')");

    Mandatory comment:
    Using string replacement in SQL is a bad practice that leaves your code vulnerable to SQL injection attacks. You should consider using prepared statements instead.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 keil的map文件中Image component sizes各项意思
  • ¥15 BC260Y用MQTT向阿里云发布主题消息一直错误
  • ¥20 求个正点原子stm32f407开发版的贪吃蛇游戏
  • ¥15 划分vlan后,链路不通了?
  • ¥20 求各位懂行的人,注册表能不能看到usb使用得具体信息,干了什么,传输了什么数据
  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 Centos / PETGEM
  • ¥15 划分vlan后不通了
  • ¥20 用雷电模拟器安装百达屋apk一直闪退
  • ¥15 算能科技20240506咨询(拒绝大模型回答)