duanjing7459
2019-02-04 21:51
浏览 75

PHP表单提交 - 语法错误

I have an HTML form that is fairly simple:

HTML:

<form method="POST" id="form-1" name="form-1">
   <p>     
      <input type="text" name="fm1q1">
      <input type="number" name="fm1q1-score">
   </p>
   <p>     
      <input type="text" name="fm1q2">
      <input type="number" name="fm1q2-score">
   </p>
   <p>     
      <input type="text" name="fm1q3">
      <input type="number" name="fm1q3-score">
   </p>
   <p>     
      <input type="text" name="fm1q4">
      <input type="number" name="fm1q4-score">
   </p>
   <p>     
      <input type="text" name="fm1q5">
      <input type="number" name="fm1q5-score">
   </p>
   <button type="submit" name="submit">SUBMIT</button>
</form>

I'm using a simple Ajax call:

$('#form-1').on('submit', function(e){
    e.preventDefault();
    $.ajax({
        type:   'POST',
        url:    'submitForm.php',
        data:   $(this).serialize(),
        success: function(data){
            console.log(data);
        },
        error: function(xhr, ajaxOptions, thownError){
            console.log(xhr.status);
            console.log(thrownError);
        }
    });
});

The PHP that inserts the form data into a MySQL DB Table is like this:

require "config.php"; // Contains all my connection information 
$answers = array($_POST['fm1q1'], $_POST['fm1q2'], $_POST['fm1q3'], $_POST['fm1q4'], $_POST['fm1q5']);
$scores = array($_POST['fm1q1-score'], $_POST['fm1q2-score'], $_POST['fm1q3-score'], $_POST['fm1q4-score'], $_POST['fm1q5-score']);

for ($i = 0; $i < 5; $i++) { 
   $sql = "INSERT INTO table_1 (answer, score) VALUES ('$answers[$i]', '$scores[$i]')";
   $result = mysqli_query($conn, $sql);
   if (!$conn->query($result) === TRUE) {
      echo "Error: " . $sql . "--" . $conn->error. "
";
   }
 }

$conn->close();

The problem I'm running into is that my Developer Tools say I have a Syntax error in the $sql= line, but I can't see what's wrong.

Error: INSERT INTO table_1 (answer, score) VALUES ('test', '123')--You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '1' at line 1
  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

2条回答 默认 最新

  • drtiwd06558 2019-02-04 22:06
    已采纳

    You're trying to execute the query twice. Once here:

    mysqli_query($conn, $sql)
    

    and once here:

    $conn->query($result)
    

    And furthermore, in the second attempt you aren't executing the query but rather trying to execute the results of the query. I'm not sure why it's failing with that exact error message, but I'd certainly expect it to fail somehow.

    What has you confused is that you're outputting your first query after having checked if your second query has failed. So you're misleading yourself in your debugging.

    Just remove that second query attempt. You already have the results from the first one:

    $result = mysqli_query($conn, $sql);
    if ($result !== TRUE) {
        echo "Error: " . $sql . "--" . mysqli_error($conn) . "
    ";
    }
    

    You should definitely make the choice of whether to use the function notation or the object notation with mysqli, and stay consistent with your choice. Trying to mix the two might work in some cases but it's ultimately going to cause confusion like this.


    Also, and this is important... Your code is wide open to SQL injection. PHP provides considerable information on what that means here. And this is a great starting point for correcting it. Regardless of how you approach it, the bottom line is that you should never put user-modifiable data directly into a query as though it's part of the code. This allows user to put actual code in your query.

    点赞 打赏 评论
  • dongshungai4857 2019-02-04 22:02

    Not the whole issue in your code - but the initial error message is due to the table name having an underscore.

    Update your SQL query to:

    "INSERT INTO `table_1` (answer, score) VALUES ('$answers[$i]', '$scores[$i]')";
    

    That should resolve the mysql error you saw.

    However - you also need to look into improving your query. Look at escaping the values (never trust posted data that could be manipulated to just write to your database), or ideally use prepared statements.

    点赞 打赏 评论

相关推荐 更多相似问题