你的SQL语法有错误;检查与您的MySQL服务器版本相对应的手册，在第5行'''附近使用正确的语法

Question

我无法从我的表单中获取数据以加载到MySQL数据库中。请帮忙！ 这是错误，我得到：

Error: INSERT INTO add_review (name,email,details) VALUES ('Darron Brown', 'blank@gmail.com', 'ldldjd',) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 5

<?php 
// Connect to MySQL 
    // a. Variables 
    $host = "hostname"; 
    $username = "user"; 
    $password = "secretpassword"; 
    $dbname = "myDatabase"; 

    // b. Connection 
    $connection = mysqli_connect($host, $username, $password, $dbname); 

    // c. Check our connection 
    if(mysqli_connect_errno()) { 
    die("Database connection failed: " . 
     mysqli_connect_error() . 
     " (" . mysqli_connect_errno() . ")" 
    ); 
    } 
    // Insert our data 
    $name = isset($_POST["name"]) ? $_POST["name"] : ""; 
    $email = isset($_POST["email"]) ? $_POST["email"] : ""; 
    $details = isset($_POST["details"]) ? $_POST["details"] : ""; 

    $name = mysqli_real_escape_string($connection, $name); 
    $email = mysqli_real_escape_string($connection, $email); 
    $details = mysqli_real_escape_string($connection, $details); 

    $sql = "INSERT INTO add_review (name,email,details) VALUES (
      '$name', 
      '$email', 
      '$details', 
     )"; 
// $insert = $connection->query($sql); 

    // Print response from MySQL 
    if (mysqli_query($connection, $sql)) { 
    echo "New record created successfully"; 
} else { 
    echo "Error: " . $sql . "<br>" . mysqli_error($connection); 
} 

    // Close our connection 
    mysqli_close($connection); 
?> 

<div class = "section page"> 
 
    <div class="wrapper"> 
 

 
    <h1>Add a Review</h1> 
 
    <p>If you think there is something I am missing, let me know! Complete the form to send me an email.</p> 
 
    <form method="post" action=""> 
 
     <table> 
 
     <tr> 
 
      <th><label for="name">Movie Name</label></th> 
 
      <td><input type="text" id="name" name="name" /></td> 
 
     </tr> 
 
     <tr> 
 
      <th><label for="email">Email</label></th> 
 
      <td><input type="text" id="email" name="email" /></td> 
 
     </tr> 
 
     <tr> 
 
      <th><label for="email">Suggest Movie Details</label></th> 
 
      <td><textarea name="details" id="details"></textarea></td> 
 
     </tr> 
 
     </table> 
 
     <input type="submit" value="Send" /> 
 
    </form> 
 
    </div> 
 
</div>

Answer 1

看到了Syntex为'$details',改变您的查询，之后$删除多余的逗号细节，如：

$sql = "INSERT INTO add_review (name,email,details) VALUES (
      '$name', 
      '$email', 
      '$details' 
     )"; 

注意：您是在SQL注入的风险，学会mysqli_prepared防止SQL注入，你可以学习here

你的预处理语句代码应该是这样的：

<?php 
// prepare and bind 
$sql = $conn->prepare("INSERT INTO add_review (name,email, details) VALUES (?, ?, ?)"); 
$sql->bind_param("sss", $name, $email, $details); 


$sql->execute(); 


echo "New records created successfully"; 

$sq]->close(); 
$conn->close(); 

?> 

现在解释的功能：

$sql->bind_param("sss", $name, $email, $details); 

该函数将参数绑定到SQL查询并告知数据库参数是什么。 “sss”参数列出参数所属的数据类型。 s字符告诉mysql该参数是一个字符串。

参数可以为四种类型之一：

我 - 整数 d - 双 秒 - 串 b - BLOB 我们必须对这些每个参数之一。

通过告诉mysqli预期什么类型的数据，我们将SQL注入的风险降至最低。

Important : When you insert any data from external sources (eg user input from a form), it is very important that the data is sanitized and validated.