为什么我的插入查询不起作用？

Question

<?php 
    if(isset($_POST['create_post'])) 
    { 
     $post_title = $_POST['title']; 
     $post_author = $_POST['post_author']; 
     $post_category_id = $_POST['post_category_id']; 
     $post_status = $_POST['post_status']; 
     $post_image = $_FILES['image']['name']; 
     $post_image_temp = $_FILES['image']['tmp_name']; 
     $post_tags = $_POST['post_tags']; 
     $post_content = $_POST['post_content']; 
     $post_date = date('d-m-y'); 
     $post_comment_count = 4; 


     move_uploaded_file($post_image_temp, "../image/ $post_image"); 

     $query = "INSERT INTO posts(post_category_id, post_title, post_author, post_date, post_image, post_content, post_tags, post_comment_count, post_status) "; 

     $query .= "Values ($post_category_id, '$post_title', '$post_author',now(), '$post_image', '$post_content', '$post_tags', '$post_comment_count', '$post_status') "; 

     $connet_query_post = mysqli_query($connection, $query); 

     if(!$connet_query_post) 
     { 

      die("Query Failed" . mysqli_error($connection)); 
     } 



    } 

?> 

<h1 class="page-header"> 
         Wellcome to Admin 
         <small>author</small> 
        </h1> 
<form action="" method="post" enctype="multipart/form-data"> 
    <div class="form-group"> 
     <label for="title">Post title</label> 
     <input type="text" class="form-control" name="title" > 
    </div> 
    <div class="form-group"> 
     <label for="post_category">Post Category Id </label> 
     <input type="text" class="form-control" name="post_category_id" > 
    </div> 
    <div class="form-group"> 
     <label for="post_author">Post Author </label> 
     <input type="text" class="form-control" name="post_author"> 
    </div> 
    <div class="form-group"> 
     <label for="post_status">Post Status </label> 
     <input type="text" class="form-control" name="post_status" > 
    </div> 
    <div class="form-group"> 
     <label for="post_image">Post Image</label> 
     <input type="file" class="form-control" name="image" > 
    </div> 
    <div class="form-group"> 
     <label for="post_tags">Post Tags </label> 
     <input type="text" class="form-control" name="post_tags" > 
    </div> 
    <div class="form-group"> 
     <label for="post_content">Post Contents</label> 
     <textarea class="form-control" name="post_content" id="" cols="30" rows="10"></textarea> 
    </div> 
    <div class="form-group"> 
     <label for="post_tags">Post Tags </label> 
     <input type="text" name="create_post" class="form-control"> 
    </div> 
    <div class="form-group"> 
     <input class="btn btn-primary" type="submit" value="Publish" name="create_post" > 
    </div> 
</form> 

这里是我负责的，我得到一个错误，多数民众赞成的形式是

Query FailedYou have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ' '', '',now(), '', '', '', '4', '')' at line 1

我检查了我的查询它根据我看起来是正确的

Answer 1

您可能正在使用在一个php变量中使用撇号。使用mysqli_real_escape_string()函数对从窗体获得的每个变量进行操作。你应该一直这样做，因为SQL注入。

Answer 2

什么是您使用的这些

“post_category_id，POST_TITLE，post_author，POST_DATE，post_image，POST_CONTENT，post_tags，post_comment_count，post_status” 列类型。

对于字符串也使用mysqli_real_escape_string（），您需要传递活动连接作为第一个参数。

Answer 3

move_uploaded_file($post_image_temp, "../image/ $post_image"); 

$query = "INSERT INTO posts(post_category_id, post_title, post_author, post_date, post_image, post_content, post_tags, post_comment_count, post_status) "; 

$query .= "Values ($post_category_id, '$post_title', '$post_author','".now()."', '$post_image', '$post_content', '$post_tags', '$post_comment_count', '$post_status') "; 

$connet_query_post = mysqli_query($connection, $query); 

      if(!$connet_query_post) 
      { 

       die("Query Failed" . mysqli_error($connection)); 
      } 

now（）是函数，你不能使用它作为字符串。

Query FailedYou have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ' '', '',now(), '', '', '', '4', '')' at line 1 

在你的错误，你现在可以看到（）

现在instated的（）应该有串