SQL查询中的字符串值必须加引号。你只是在转义数据,然后他们将其转储到字符串中。(我也不明白为什么你要连接所有的字符串,而不是使用变量插值)。
嘿,大家好……我在这个脚本上遇到了很多麻烦。我想这是标准的PHP MYSQLI。它一直有效,直到我尝试添加mysqli_real_escape字符串部分。有什么想法吗?
<?php
require_once 'connect.php';
$name = ($_POST['name']);
$address = ($_POST['address']);
$city = ($_POST['city']);
$state = ($_POST['state']);
$zip = ($_POST['zip']);
$persons = ($_POST['persons']);
$damages = ($_POST['damages']);
$complaint = ($_POST['complaint']);
$safename = mysqli_real_escape_string($connection, $name);
$safeaddress = mysqli_real_escape_string($connection, $address);
$safecity = mysqli_real_escape_string($connection, $city);
$safestate = mysqli_real_escape_string($connection, $state);
$safezip = mysqli_real_escape_string($connection, $zip);
$safedate = mysqli_real_escape_string($connection, $date);
$safepersons = mysqli_real_escape_string($connection, $persons);
$safedamages = mysqli_real_escape_string($connection, $damages);
$safecomplaint = mysqli_real_escape_string($connection, $complaint);
$query = "INSERT INTO blacklisted
(
name,
address,
city,
state,
zip,
date,
persons,
damages,
complaint
)
VALUES
(
".$safename.",
".$safeaddress.",
".$safecity.",
".$safestate.",
".$safezip.",
".$safedate.",
".$safepersons.",
".$safedamage.",
".$safecomplaint."
)";
$result = mysqli_query($connection, $query);
mysqli_free_result($result);
mysqli_close($connection);
?>
我以为一切都会好起来,但现在我很困惑。
无论如何,您都不应该将用户输入混合到SQL字符串中。使用事先准备好的语句。