doulang1945
2013-09-06 11:08
浏览 161
已采纳

插入时出现MySQL语法错误

I've got a syntax error in the following code, but I can't find it:

$tableSelect = $_POST["tableSelect"];
$companyName = $_POST["companyName"];
$telephone = $_POST["telephone"];
$fax = $_POST["fax"];
$email = $_POST["email"];
$address = $_POST["address"];
$postcode = $_POST["postcode"];
$category = $_POST["category"];
$contact = $_POST["contact"];
$contactTel = $_POST["contactTel"];
$contactEmail = $_POST["contactEmail"];
$sql = "INSERT INTO '" . $tableSelect . "' ('" . $companyName . "', '" . $telephone . "', '"
    . $fax . "', '" . $email . "', '" . $address . "','" . $postcode . "', '" . $category . "',
    '" . $contact . "', '" . $contactTel . "', '" . $contactEmail . "')";
mysqli_query($con,$sql);
if (!mysqli_query($con,$sql)) {
    die('Error: ' . mysqli_error($con));
}

Cheers!

EDIT: I have modified the code to this:

$sql = "INSERT INTO `" . $tableSelect . "` (name, telephone, fax, email, address, postcode, category,
    contact, contactTel, contactEmail) VALUES (`" . $companyName . "`, `" . $telephone . "`, `"
    . $fax . "`, `" . $email . "`, `" . $address . "`,`" . $postcode . "`, `" . $category . "`,
    `" . $contact . "`, `" . $contactTel . "`, `" . $contactEmail . "`)";

and now have the error "Error: Unknown column [companyName] in 'field list'", where [companyName] is the value submitted through the form. But surely I've defined the column as "name"?

Edit 2: Thanks, I'm now aware of the injection issue. I'd like to get it working, then I'll change it to using prepared statements.

图片转代码服务由CSDN问答提供 功能建议

我在下面的代码中遇到语法错误,但我找不到它:

  $ tableSelect = $ _POST [“tableSelect”]; 
 $ companyName = $ _POST [“companyName”]; 
 $ telephone = $ _POST [“telephone”]; 
 $  fax = $ _POST [“fax”]; 
 $ email = $ _POST [“email”]; 
 $ address = $ _POST [“address”]; 
 $ postcode = $ _POST [“postcode”]; \  n $ category = $ _POST [“category”]; 
 $ contact = $ _POST [“contact”]; 
 $ contactTel = $ _POST [“contactTel”]; 
 $ contactEmail = $ _POST [“contactEmail”]  ; 
 $ sql =“INSERT INTO'”。  $ tableSelect。  “'(''”。$ companyName。“','”。$ phone。“','”
。$ fax。“','”。$ email。“','”。$ address。“',  '“。$ postcode。”','“。$ category。”',
'“。$ contact。”','“。$ contactTel。”','“。$ contactEmail。”')“; \  nmysqli_query($ con,$ sql); 
if(!mysqli_query($ con,$ sql)){
 die('Error:'。mysqli_error($ con)); 
} 
   
 
 

干杯!

编辑:我已将代码修改为:

   $ sql =“INSERT INTO`”。  $ tableSelect。  “`(姓名,电话,传真,电子邮件,地址,邮政编码,类别,
联系人,contactTel,contactEmail)VALUES(`”。$ companyName。“`,``。$ phone。”`,``
。  $ fax。“`,`”。$ email。“`,``。$ address。”`,``。$ postcode。“`,``。$ category。”`,
“”。$ contact。  “`,`”。$ contactTel。“`,`”。$ contactEmail。“`)”; 
   
 
 

现在有错误“错误:未知列 [companyName]在'field list'“中,[companyName]是通过表单提交的值。 但当然我已将该列定义为“名称”?

编辑2:谢谢,我现在知道注入问题了。 我想让它工作,然后我会把它改成使用预备语句。

  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

6条回答 默认 最新

  • dtm41506 2013-09-06 12:21
    已采纳

    Ignoring injection issues...

    $sql = "
    INSERT INTO $tableSelect 
    (name
    ,telephone
    ,fax
    ,email
    ,address
    ,postcode
    ,category
    ,contact
    ,contactTel
    ,contactEmail
    ) VALUES 
    ('$companyName'
    ,'$telephone'
    ,'$fax'
    ,'$email'
    ,'$address'
    ,'$postcode'
    ,'$category'
    ,'$contact'
    ,'$contactTel'
    ,'$contactEmail'
    );
    ";
    

    Incidentally, in my (limited) experience, the practice of calling the variable (e.g. '$companyName') and the column (e.g. name) two (slightly) different things can get very confusing.

    打赏 评论
  • duanbishai5271 2013-09-06 11:10

    try query like this

    $query="insert into abc (a,b,c) values ('a','b','c')
    
    and first check your all variables using isset()
    
    打赏 评论
  • du5739 2013-09-06 11:12

    Use backquotes: ` instead of straight quotes when quoting table names:

    instead of:

    '" . $companyName . "'
    

    this:

    `" . $companyName . "`
    

    Use prepared statements instead of putting the variables into the query directly. And check, that the tables names are correct, cause now you are open to SQL injection.

    How can I prevent SQL injection in PHP?

    打赏 评论
  • drllqg2903 2013-09-06 11:12

    You need either a values statement or a select statement:

    "INSERT INTO '" . $tableSelect . "' VALUES ('" . $companyName . "', '" . $telephone . "', '"
    . $fax . "', '" . $email . "', '" . $address . "','" . $postcode . "', '" . $category . "',
    '" . $contact . "', '" . $contactTel . "', '" . $contactEmail . "')";
    

    However, I would also recommend that you include the column names in the insert statement:

    "INSERT INTO '" . $tableSelect ."(companyname, telephone, fax, email, address, postcode, category, contact, contactTel, contactEmail) ".
      "' VALUES ('" . $companyName . "', '" . $telephone . "', '"
    . $fax . "', '" . $email . "', '" . $address . "','" . $postcode . "', '" . $category . "',
    '" . $contact . "', '" . $contactTel . "', '" . $contactEmail . "')";
    

    I'm not sure if those are the correct names.

    打赏 评论
  • douyue3800 2013-09-06 11:15

    please check insert query syntax

    you are missing values in your program:

    Follow the below Syntax:

    INSERT INTO table_name (column1, column2, column3,...)
    VALUES (value1, value2, value3,...)
    
    打赏 评论
  • dqwh1209 2013-09-06 11:16

    Please try below query:

    $sql = "INSERT INTO $tableSelect ('" . $companyName."', '".$telephone."',
    '".$fax."', '".$email."', '".$address."', '".$postcode."', '".$category."',
    '".$contact."', '".$contactTel."', '".$contactEmail."')";
    

    If still getting error, then you should use mysql_real_escape_string() function.
    Data may contain special characters.

    打赏 评论

相关推荐 更多相似问题