你的SQL語法有錯誤;檢查與您的MySQL服務器版本相對應的手冊，在第5行'''附近使用正確的語法

Question

我無法從我的表單中獲取數據以加載到MySQL數據庫中。請幫忙！ 這是錯誤，我得到：

Error: INSERT INTO add_review (name,email,details) VALUES ('Darron Brown', 'blank@gmail.com', 'ldldjd',) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 5

<?php 
// Connect to MySQL 
    // a. Variables 
    $host = "hostname"; 
    $username = "user"; 
    $password = "secretpassword"; 
    $dbname = "myDatabase"; 

    // b. Connection 
    $connection = mysqli_connect($host, $username, $password, $dbname); 

    // c. Check our connection 
    if(mysqli_connect_errno()) { 
    die("Database connection failed: " . 
     mysqli_connect_error() . 
     " (" . mysqli_connect_errno() . ")" 
    ); 
    } 
    // Insert our data 
    $name = isset($_POST["name"]) ? $_POST["name"] : ""; 
    $email = isset($_POST["email"]) ? $_POST["email"] : ""; 
    $details = isset($_POST["details"]) ? $_POST["details"] : ""; 

    $name = mysqli_real_escape_string($connection, $name); 
    $email = mysqli_real_escape_string($connection, $email); 
    $details = mysqli_real_escape_string($connection, $details); 

    $sql = "INSERT INTO add_review (name,email,details) VALUES (
      '$name', 
      '$email', 
      '$details', 
     )"; 
// $insert = $connection->query($sql); 

    // Print response from MySQL 
    if (mysqli_query($connection, $sql)) { 
    echo "New record created successfully"; 
} else { 
    echo "Error: " . $sql . "<br>" . mysqli_error($connection); 
} 

    // Close our connection 
    mysqli_close($connection); 
?> 

<div class = "section page"> 
 
    <div class="wrapper"> 
 

 
    <h1>Add a Review</h1> 
 
    <p>If you think there is something I am missing, let me know! Complete the form to send me an email.</p> 
 
    <form method="post" action=""> 
 
     <table> 
 
     <tr> 
 
      <th><label for="name">Movie Name</label></th> 
 
      <td><input type="text" id="name" name="name" /></td> 
 
     </tr> 
 
     <tr> 
 
      <th><label for="email">Email</label></th> 
 
      <td><input type="text" id="email" name="email" /></td> 
 
     </tr> 
 
     <tr> 
 
      <th><label for="email">Suggest Movie Details</label></th> 
 
      <td><textarea name="details" id="details"></textarea></td> 
 
     </tr> 
 
     </table> 
 
     <input type="submit" value="Send" /> 
 
    </form> 
 
    </div> 
 
</div>

Answer 1

看到了Syntex爲'$details',改變您的查詢，之後$刪除多餘的逗號細節，如：

$sql = "INSERT INTO add_review (name,email,details) VALUES (
      '$name', 
      '$email', 
      '$details' 
     )"; 

注意：您是在SQL注入的風險，學會mysqli_prepared防止SQL注入，你可以學習here

你的預處理語句代碼應該是這樣的：

<?php 
// prepare and bind 
$sql = $conn->prepare("INSERT INTO add_review (name,email, details) VALUES (?, ?, ?)"); 
$sql->bind_param("sss", $name, $email, $details); 


$sql->execute(); 


echo "New records created successfully"; 

$sq]->close(); 
$conn->close(); 

?> 

現在解釋的功能：

$sql->bind_param("sss", $name, $email, $details); 

該函數將參數綁定到SQL查詢並告知數據庫參數是什麼。 「sss」參數列出參數所屬的數據類型。 s字符告訴mysql該參數是一個字符串。

參數可以爲四種類型之一：

我 - 整數 d - 雙 秒 - 串 b - BLOB 我們必須對這些每個參數之一。

通過告訴mysqli預期什麼類型的數據，我們將SQL注入的風險降至最低。

Important : When you insert any data from external sources (eg user input from a form), it is very important that the data is sanitized and validated.