PHP发布错误Mysql

Question

我正在尝试使用以下代码将数据发布到我的数据库:

 <?php
if(isset($_POST['add']))
{
$dbhost = 'internal-db';
$dbuser = 'support';
$dbpass = 'sgh';
$db = "mpc";
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn )
{
  die('Could not connect: ' . mysql_error());
}

$firstname = $_POST['firstname'];
$surname = $_POST['surname'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$country = $_POST['country'];
$message = $_POST['message'];
$callback = $_POST['callback'];

$sql = "INSERT INTO enquiries 
       (firstname, surname, email, phone, country, message, callback)
       VALUES('$firstname','$surname', $email, $phone, $country, $message, $callback)";

mysql_select_db($db);
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
  die('Could not enter data: ' . mysql_error());
}
echo "Entered data successfully\n";
mysql_close($conn);
}
else
{
?>

当我尝试发布表单时，我收到以下错误:

Could not enter data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , , , )' at line 3

无法找出代码中的错误。你能帮我吗？？？？我使用的是已弃用的代码吗？？

Answer 1

查询中的变量为空($email, $phone, $country, $message, $call)。尝试在 query 之前对变量进行 var_dump，看看它们是否有一些 value。此外，当它们是字符串(例如邮件)时，您还需要用引号将它们括起来，例如 '$var'。

此外，看在上帝的份上，对输入进行清理。看这里:

What are the best PHP input sanitizing functions?

How can I prevent SQL injection in PHP?