问题
// write student record
$query = "INSERT INTO Student (SLastName, SFirstName, SeMail, SGrade, SPhone, SCell, SLunch)".
" VALUES ($LastName, $FirstName, $email, $grade, $phone, $cell, $lunch)";
echo $query . '<br />';
$result = mysql_query($query);
if (!$result)
die("Error inserting Student record: ". mysql_error());
INSERT INTO Student (SLastName, SFirstName, SeMail, SGrade, SPhone, SCell, SLunch)
VALUES (Weiner, Wendy, somemail@gmail.com, 12, 2123334444, 8458765555, 5)
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@gmail.com, 12, 2123334444, 8458765555, 5)' at line 1
Server version: 5.0.91-community
回答1:
Shouldn't that be
INSERT INTO Student (SLastName, SFirstName, SeMail, SGrade, SPhone, SCell, SLunch)
VALUES (Weiner, Wendy, 'somemail@gmail.com', 12, 2123334444, 8458765555, 5)
i. e. with the email address in quotes?
回答2:
You are inviting a visit from little Bobby Tables by using user-supplied data unescaped in a SQL query.
Either use mysql_real_escape_string to defang the input, or use PDO to do it better.
回答3:
You need to encase your values in quotes:
$query = "INSERT INTO Student (SLastName, SFirstName, SeMail, SGrade, SPhone, SCell, SLunch)". " VALUES ('$LastName','$FirstName','$email', '$grade', '$phone', '$cell', '$lunch')";
来源:https://stackoverflow.com/questions/3517090/inserting-an-email-address-into-a-table-field