my PHP code will NOT insert records into my SQL dabase table [closed]

后端未结

关注

 4  1262

梦如初夏

相关标签:

4条回答

挽巷

2021-01-29 11:57

Here, is a better-version of script you created, because yours was 100% open to SQL injections, and really not even a conventional way of codding, this is safer but if you need safe, then I suggest you learn about PDO from here

<?php
     if(isset($_POST['submit'])){
       mysql_connect("localhost","username","password") or die(mysql_error());
       mysql_select_db("wwwbrecs_BREC", $con) or die(mysql_query());

      $email = mysql_real_escape_string($_POST['email']);
      $date = mysql_real_escape_string($_POST['date'])
      $time = mysql_real_escape_string($_POST['time'])

       $sql = "INSERT INTO 
            signups ('signup_email_address', 'signup_date','signup_time') 
            VALUES  ('".$email."','".$date."','".$time."')";

        mysql_query($sql, $con) or die(mysql_error());

        mysql_close($con);
    }

0 讨论(0)

南笙

2021-01-29 12:01

signups table should not be surrounded by single quotes ' but apostrophes `

Therefore

    $sql = "INSERT INTO 'signups' ('signup_email_address', 'signup_date',                          'signup_time') VALUES ('$_POST[email]','$_POST[date]','$_POST[time]')";

Should be

    $sql = "INSERT INTO `signups` ('signup_email_address', 'signup_date',                          'signup_time') VALUES ('$_POST[email]','$_POST[date]','$_POST[time]')";

0 讨论(0)

忘了有多久

2021-01-29 12:03
There is a syntax error in your query, you sholdn't surround table name and column with quotes ' , at least you can use backtick `
```
INSERT INTO 'signups' ('signup_email_address', 'signup_date','signup_time')
```
Should be
```
INSERT INTO signups (signup_email_address, signup_date, signup _time) VALUES 
```
Or
```
INSERT INTO `signups` (`signup_email_address`, `signup_date`, `signup _time`) VALUES 
```
Only values (actually not integers for integers columns) should be surrounded with quotes '.

Then I would like to remember you that mysql_ functions are deprecated so i would advise you to switch to mysqli or PDO and indeed you are at risk of sql injection, have a look here How can I prevent SQL injection in PHP?. You should use prepared statment to avoid any risk
0 讨论(0)
发布评论:

提交评论
- 加载中...

夕颜

2021-01-29 12:10

<?php
$sql = "
    INSERT INTO signups 
    (signup_email_address, signup_date, signup_time) 
    VALUES 
    ('" . mysql_real_escape_string($_POST['email']) . "','" . mysql_real_escape_string($_POST['date']) . "', '" . mysql_real_escape_string($_POST['time']) . "')";

this should do the trick, also check your security

0 讨论(0)

热议问题