max*_*ax_ 0 php mysql mysql-error-1064
我从下面的代码中收到以下错误.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@doe.com,username,5f4dcc3b5aa765d61d8327deb882cf99,09/05/2011 1:11:13 AM)' at line 1
$username = $_GET['username'];
$password = md5($_GET['password']);
$firstname = $_GET['firstname'];
$lastname = $_GET['lastname'];
$email = $_GET['email'];
$date = uk_date();
$conn = mysql_connect('localhost', 'myuser', 'mypass');
mysql_select_db('dbname');
$query = "INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES (". $firstname . ",". $lastname ."," . $email . "," . $username . "," . $password . "," . $date . ")";
$result = mysql_query($query) or die(mysql_error());
echo 'Success';
mysql_close($result);
请你告诉我我的问题是什么?我是MySQL和PHP的新手,所以请你能解释我做错了以备日后参考.
你没有引用INSERT中的任何值,你应该说更像这样的东西:
$query = "INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES ('". $firstname . "','". $lastname ."','" . $email . "','" . $username . "','" . $password . "','" . $date . "')";
您还应该使用mysql_real_escape_string所有这些变量来确保任何嵌入的引号等都已正确编码.
一个更好的版本将是这样的:
$query = sprintf("INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES ('%s', '%s', '%s', '%s', '%s', '%s')",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname),
mysql_real_escape_string($email),
mysql_real_escape_string($username),
mysql_real_escape_string($password),
mysql_real_escape_string($date));
您还应该听BoltClock并使用PDO和占位符,这样您就不必担心报价并逃避这么多.PDO还可以更轻松地切换数据库.