的Android MYSQL插入不起作用

Question

我試圖插入objetc到表上使用下面的代碼我的數據庫：

PHP：

$sql = mysql_query("INSERT INTO order (placer_name, item_name, payment_amount, location_string, location_lat, location_long) VALUES('$_POST[PlacerName]', '$_POST[ItemName]', '$_POST[Payment]', '$_POST[Location]', '$_POST[Lat]', '$_POST[Long]')");  

     if($sql){ 
      echo 'Success'; 
     } 
     else{ 
      echo 'Error occured.'; 
     } 
} 

JAVA：

// POST ORDER 
    public void order(String nm, String pay, String location) { 
     itemName = nm; 
     paymentAmount = pay; 
     locationString = location; 
     if (Utility.getCurrentLocation() != null) { 
      handler.post(new Runnable() { 
       public void run() { 
        new OrderTask().execute((Void) null); 
       } 
      }); 
     } else { 
      // Cannot Determine Location 
      showMessage("Cannot Determine Location."); 
     } 
    } 

    class OrderTask extends AsyncTask<Void, Void, Boolean> { 
     private void postData() { 
      if (user.loggedIn) { 
       HttpClient httpclient = new DefaultHttpClient(); 
       HttpPost httppost = new HttpPost(
         "http://cyberkomm.ch/sidney/php/postOrder.php"); 
       try { 
        ArrayList<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(
          6); 
        nameValuePairs.add(new BasicNameValuePair("PlacerName", 
          user.userName)); 
        nameValuePairs.add(new BasicNameValuePair("ItemName", 
          itemName)); 
        nameValuePairs.add(new BasicNameValuePair("Payment", 
          paymentAmount)); 
        nameValuePairs.add(new BasicNameValuePair("Location", 
          locationString)); 
        nameValuePairs.add(new BasicNameValuePair("Long", String 
          .valueOf(user.longitude))); 
        nameValuePairs.add(new BasicNameValuePair("Lat", String 
          .valueOf(user.latitude))); 
        httppost.setEntity(new UrlEncodedFormEntity(nameValuePairs)); 
        HttpResponse response = httpclient.execute(httppost); 
        BufferedReader in = new BufferedReader(
          new InputStreamReader(response.getEntity() 
            .getContent())); 
        StringBuffer sb = new StringBuffer(""); 
        String line = ""; 
        while ((line = in.readLine()) != null) { 
         sb.append(line); 
         break; 
        } 
        in.close(); 
        responseString = sb.toString(); 
        if (responseString.equals("Success")) { 
         // Order Placed 
         showMessage("Success. Order Placed!"); 
         user.onPlaced(); 
        } else { 
         // Failed 
         showMessage("Failed. " + responseString); 
        } 
       } catch (Exception e) { 
        Log.e("log_tag", "Error: " + e.toString()); 
       } 
      } else {`enter code here` 
       // Must Login 
       showMessage("Must Login"); 
      } 
     } 

     @Override 
     protected Boolean doInBackground(Void... params) { 
      postData(); 
      return null; 
     } 
    } 

數據庫：

當我運行代碼時，sql始終返回「出現錯誤」，這意味着它無法執行查詢：

"INSERT INTO order (placer_name, item_name, payment_amount, location_string, location_lat, location_long) VALUES('$_POST[PlacerName]', '$_POST[ItemName]', '$_POST[Payment]', '$_POST[Location]', '$_POST[Lat]', '$_POST[Long]')" 

我檢查語法，一切似乎是爲了，但我有一些猜測，什麼可能是錯誤的，但我我不知道：

類型的問題與整數，雙打 參數值

謝謝您的幫助。

Answer 1

order是一個MySQL保留字。

http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html

無論是包裝在反引號，或使用其他的話，如orders，這將是確定。

"INSERT INTO `order` 

有錯誤報告，會有跡象表明。

error_reporting(E_ALL); 
ini_set('display_errors', 1); 

http://php.net/manual/en/function.error-reporting.php

的SQL的錯誤信息會是：

您的SQL語法錯誤;檢查對應於你的MySQL服務器版本的手冊正確的語法使用近「爲了

---

另外，您的本次代碼是開放的SQL injection。使用mysqli with prepared statements或PDO with prepared statements。