问题描述
我正在使用此查询输入信息以进行前端编辑. 2个问题.首先,输入可以很好地用作数字,但不会发布文本.其次,new_type1和new_type2是复选框,不能正确发布.
I am using this query to input info for front end editing. 2 problems. First, input works fine as number, but will not post text. Second, new_type1 and new_type2 are checkboxes and do not post correctly.
$query = "DELETE p.* FROM #__bl_press as p WHERE p.match_id = ".$row->id;
$db->setQuery($query);
$db->query();
if(isset($_POST['new_source']) && count($_POST['new_source'])){
for ($i=0; $i< count($_POST['new_source']); $i++){
$new_event1 = $_POST['new_source'][$i];
$query = "INSERT INTO #__bl_press(n_source, n_title, n_link, match_id, type1, type2) VALUES(".$new_event1.",".$_POST['new_title'][$i].",".$_POST['new_link'][$i].",".$row->id.",".intval($_POST['new_type1'][$i]).",".intval($_POST['new_type2'][$i]).")";
$db->setQuery($query);
$db->query();
}
}
推荐答案
您需要在字符串值两边加上引号:
You need quotes round the string values:
$query = "INSERT INTO #__bl_press(n_source,n_title,n_link,match_id,type1,type2)".
"VALUES('".$new_event1."','".$_POST['new_title'][$i]."','" . // etc
// ^ ^ ^ ^ ^
此外,您还应该使用 mysql_real_escape_string 或参数化查询,以避免在发布的数据包含诸如引号或反斜杠之类的字符时出现SQL注入漏洞和运行时错误.另请参阅此问题以获取更多信息:
Also you should use mysql_real_escape_string or parameterized queries to avoid SQL injection vulnerabilities and runtime errors when the posted data contains characters such as quotes or backslashes. See also this question for more information:
这篇关于无法使用"Insert Into"将文本发布到MySQL.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!