的最佳方法
我在插入数据库时遇到错误,这是我正在使用
的代码class DB_Functions
{
private $db;
//put your code here
// constructor
function __construct() {
require_once 'DB_Connect.php';
// connecting to database
$this->db = new DB_Connect();
$this->db->connect();
}
// destructor
function __destruct() {
}
/**
* Storing new user
* returns user details
*/
public function storeUnit($email, $unit, $maint, $attent, $done) {
$con = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD) or die (mysql_error());
mysql_select_db(DB_DATABASE, $con);
$var = mysql_query('select 1 from `table_name`');
if ($var !== FALSE){
$format = 'Y-m-d G:i:s';
$date = date($format);
mysql_query("CREATE TABLE '$email'( Col1 VARCHAR, Col2 VARCHAR,Col3 VARCHAR, Col4 VARCHAR, Col5 VARCHAR),$con");
$result = mysql_query("INSERT INTO '$email'(Col1, Col2 ,Col3 , Col4 , Col5) VALUES('$unit', '$done', '$attent', '$maint', '$date')");
} else {
$result = mysql_query("INSERT INTO '$email'(Col1, Col2 ,Col3 , Col4 , Col5) VALUES('$var2', '$var3', '$var4', '$var5', '$date')");
}
// check for successful store
if ($result) {
// get unit details
$uid = mysql_insert_id(); // last inserted id
$result = mysql_query("SELECT * FROM users WHERE Col1 = $var2");
// return unit details
return mysql_fetch_array($result);
} else {
return false;
}
}
错误在这里
mysql_query("CREATE TABLE '$email'( Col1 VARCHAR, Col2 VARCHAR,Col3 VARCHAR,
Col4 VARCHAR, Col5 VARCHAR),$con");
^ this one
可变$con不应包含在字符串
mysql_query("CREATE TABLE '$email'( Col1 VARCHAR, Col2 VARCHAR,Col3 VARCHAR,
Col4 VARCHAR, Col5 VARCHAR)",$con);
另一件事是创建一个列的数据类型为 varchar,但未指定其容量。应该是
CREATE TABLE '$email'( Col1 VARCHAR(50), ....
有关防止SQL INJECTION的其他信息:
防止SQL注入PHP