php - 为什么我的 MySQL INSERT 语句返回错误？ PDOException SQLSTATE[42000] :

Question

我的 mySQL 遇到问题，我真的不知道发生了什么。我知道它与我的语法有关，但不确切是什么。

if(isset($_POST['newBtn'])) {
// Check that everything has values and something has been changed
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$title = $_POST['title'];
$smalldesc = $_POST['smalldesc'];
$fulldesc = $_POST['fulldesc'];
// username = $admin
// date = getdate(today in unix time stamp)
date_default_timezone_set('UTC');
$date = new DateTime();
$date = $date->getTimestamp();
if("Testing form. Not relevant.") {
    echo "<div class='alert alert-warning'>You submitted blank data somewhere, or did not change any data from it's default.</div>";
} else {
    $sqladd = "INSERT INTO theories(theory_name,small_desc,full_desc,author,create_date) VALUES ($title,$smalldesc,$fulldesc,$admin,$date)";
    try {
    $sth = $dbh->query($sqladd);

    echo "<div class='alert alert-success'><b>Success!</b>You Have created a new theory that is availible for viewing to the public.</div>";
} catch(PDOExecption $e) {
echo "<div class='alert alert-error'><b>Error!</b>Could not add to database.<br />". $e->getMessage() ."</div>";
}
}
}

我收到此错误:

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax
error or access violation: 1064 You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use near 'Form,I 
shouldn't be having this much of an issue with php.,I really hate when PH' at line 1' in 
/srv/http/mt-chillad/users/admin-theories.php:42 Stack trace: #0 /srv/http/mt-
chillad/users/admin-theories.php(42): PDOStatement->execute() #1 {main} thrown in 
/srv/http/mt-chillad/users/admin-theories.php on line 42

Answer 1

哎呀，使用参数绑定(bind)

try {
    $stmt = $sbh->prepare('INSERT INTO theories(theory_name,small_desc,full_desc,author,create_date) VALUES (?, ?, ?, ?, ?)');
    $stmt->execute([$title,$smalldesc,$fulldesc,$admin,$date]);

    // and so on

发生错误的原因是您直接将未经清理和未加引号的值插入到查询中。

进一步阅读

• http://php.net/manual/pdo.prepare.php
• http://php.net/manual/pdostatement.bindparam.php
• http://php.net/manual/pdostatement.execute.php
• http://php.net/manual/pdostatement.bindvalue.php