我想从URL读取查询字符串并将其保存到sqlite数据库中
我面对这些错误消息:
PHP Warning: sqlite3::exec(): near ",": Syntax error
但是我没有问题:
$Tel = $_REQUEST["from"];
$Content = $_REQUEST["text"];
echo $Tel = strip_tags($Tel);
echo $Content = strip_tags($Content);
$sql =<<<EOF
INSERT INTO foodordering(Fullname, Tel, RecievingTime, Content)
VALUES ("Ehsan", $Tel, date('Now'), $Content);
EOF;
$ret = $db->exec($sql);
解决方法:
正如@HassanAhmed所提到的,这是当输入处理不当时发生的.您会看到与有人对您使用SQL injection相同的问题.快速的解决方法是将这些字段用引号引起来:
VALUES ("Ehsan", "$Tel", date('Now'), "$Content");
您应该做的是绑定参数:
$sql =<<<EOF
INSERT INTO foodordering(Fullname, Tel, RecievingTime, Content)
VALUES ("Ehsan", :tel, date('Now'), :content);
EOF;
$stmt = $db->prepare($sql);
$stmt->bindValue(':tel', $_REQUEST['from']);
$stmt->bindValue(':content', $_REQUEST['text']);
$ret = $stmt->execute();