我收到以下代码中的以下错误。MySQL语法:您的SQL语法中有错误...
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@doe.com,username,5f4dcc3b5aa765d61d8327deb882cf99,09/05/2011 1:11:13 AM)' at line 1
$username = $_GET['username'];
$password = md5($_GET['password']);
$firstname = $_GET['firstname'];
$lastname = $_GET['lastname'];
$email = $_GET['email'];
$date = uk_date();
$conn = mysql_connect('localhost', 'myuser', 'mypass');
mysql_select_db('dbname');
$query = "INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES (". $firstname . ",". $lastname ."," . $email . "," . $username . "," . $password . "," . $date . ")";
$result = mysql_query($query) or die(mysql_error());
echo 'Success';
mysql_close($result);
能不能请您让我知道,我的问题是什么?我是MySQL和PHP的新手,所以请你提供一个解释,说明我做错了什么,以备日后参考。
问题是,你是(等等等等等等等等等等等等等等),而且你没有使用准备好的语句。 – BoltClock 2011-05-09 00:17:04
准备好的陈述是什么意思? – 2011-05-09 00:18:16
看看[PHP PDO手册]中的这篇文章(http://php.net/manual/en/pdo.prepared-statements.php)。准备好的语句对于帮助防范大多数Web应用程序易受攻击的SQL注入攻击都是不可或缺的。 – BoltClock 2011-05-09 00:18:54