我试图像这样运行mySQL插入语句:
function insertAppointment($connection, $id, $firstname, $lastname, $email, $phone, $date, $time){
$sql = "INSERT INTO `appointments` (firstname, lastname, email, phone, app_date, app_time) VALUES ('" . $id . "', '" . $firstname . "', '" . $lastname . "', '" . $email . "', " . $date . ", " . $time . ")";
$connection->query($sql);
}
$ connection是我的连接字符串,这不是问题.我可以将它用于select语句,如下所示:
function getTakenDates($connection){
$query = mysqli_query($connection, "SELECT app_date, app_time FROM `appointments`");
$results = array();
while($row = mysqli_fetch_assoc($query)){
$results[] = $row;
}
return $results;
}
您很容易受到SQL注入攻击,并且使用$ date/$ time值创建了错误的查询:
INSERT .... VALUES (..., 2014-11-10, 14:58:00)
因为你的日期值是不加引号的,你实际上会尝试插入那个数学运算的结果(-如果它不在字符串中,请记住是SUBTRACTION),而14:58:00是一个完全无效的数字 - mysql不知道是什么那些人:都是.
你要
$sql = "[..snip..] "', '" . $date . "', '" . $time . "')";
^-------------^--^-------------^----
代替.请注意额外的报价.那会产生
INSERT .... VALUES (..., '2014-11-10', '14:58:00')