答案 H2>
将error reporting添加到您的文件中会发出错误信号。
error_reporting(E_ALL);
ini_set('display_errors', 1);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);您要么不使用表名周围的引号,要么使用反引号(如果它是MySQL保留字);在这种情况下,不仅仅是删除表名周围的引号。
$res = mysqli_query($con,"INSERT INTO boatviewing (clientNo,boatNo,viewDate,comment)(如果你真的想逃避你的表名)
$res = mysqli_query($con,"INSERT INTO `boatviewing` (clientNo,boatNo,viewDate,comment)你似乎还有一个额外的
标签;删除它,加上删除die(mysqli_error());;末尾的额外分号,这是不需要的。另外,删除header("Location:client.php");上方的echo "success";,您将在标头之前输出并将引发错误。
更改
$con = mysqli_connect("localhost","root","","boats4u")or die(mysqli_error());;至:
$con = mysqli_connect("localhost","root","","boats4u")
or die("Error " . mysqli_error($con));根据手册声明的方法:
SQL injection开放。使用prepared statements或PDO。
这是一个准备好的声明方法:
error_reporting(E_ALL);
ini_set('display_errors', 1);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli("localhost","root","","boats4u");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
/* Set the params */
$client = $_POST['clientNo'];
$boat = $_POST['boatNo'];
$date = $_POST['viewDate'];
$comment = $_POST['comment'];
/* Create the prepared statement */
if ($stmt = $mysqli->prepare("INSERT INTO boatviewing (clientNo,boatNo,viewDate,comment) VALUES (?, ?, ?, ?)")) {
/* Bind the params */
$stmt->bind_param('ssss', $client, $boat, $date, $comment);
/* Execute the prepared statement */
$stmt->execute();
/* Echo results */
echo "Inserted {$client}, {$boat}, {$date}, {$comment} into database.\n";
/* Close the statement */
$stmt->close();
}
else {
/* Error */
printf("Prepared Statement Error: %s\n", $mysqli->error);
}
?>
如果您不想使用预准备语句(您确实应该这样做)且处于学习状态,请至少使用mysqli_real_escape_string()进行一些保护
$client = mysqli_real_escape_string($con,$_POST['clientNo']);
$boat = mysqli_real_escape_string($con,$_POST['boatNo']);
$date = mysqli_real_escape_string($con,$_POST['viewDate']);
$comment = mysqli_real_escape_string($con,$_POST['comment']);