您的SQL语法有错误;检查与MySQL服务器版本对应的手册，以获得正确的语法

Im facing this problem when inserting a SQL query:

我在插入SQL查询时遇到此问题:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '30000001'', NULL, 'Pending', NULL, NULL)' at line 1

错误:SQL语法中有错误;查看与您的MySQL服务器版本对应的手册,以便在第1行使用'30000001''附近的正确语法,NULL,'待定',NULL,NULL)'

The code is:

代码是:

  <?php 
// Connecting to the MySQL server 

include "connection.php"; // Check connection 

if (mysqli_connect_errno()) 
{
   echo "Failed to connect to MySQL: " . mysqli_connect_error(); 
}

$query = "SELECT * FROM meet ORDER BY meetid DESC LIMIT 1"; $result =
mysqli_query($con,$query) or die(mysqli_error($con)); $last_val =
mysqli_fetch_array($result); //   print_r($last_val); $last_val1 =
$last_val[0];

$query = "SELECT * FROM hdr_student WHERE Stud_NO = '$stud_no'";
$result = mysqli_query($con,$query) or die(mysqli_error($con));
$check_over = mysqli_fetch_array($result);

$null = 'sss'; $validateon = '0000-00-00 00:00:00.000000';
$supprephour = '0';

if(!empty($check_over['c_supervisor'])) 
{
      if(!empty($check_over['p_supervisor']))        
      { 
        $check_supp = $check_over['p_supervisor'];  
        $check_supp1 = var_export($check_supp,true);             

        $query = "INSERT INTO supervisorattendance (meetid, sup_no, supnote, supvalidate, supprephour, validateon) VALUES ('$last_val1', '$check_supp1', NULL, 'Pending', NULL, NULL)";       
        if (!mysqli_query($con,$query)) 
        {  
            die('Error: ' . mysqli_error($con)); 
        }  
      } 

      $check_supc = $check_over['c_supervisor'];  
      $check_supc1 = var_export($check_supp,true);     
      $query = "INSERT INTO supervisorattendance (meetid, sup_no, supnote, supvalidate, supprephour, validateon) VALUES ('$last_val1', '$check_supc1', NULL, 'Pending', NULL, NULL)";  

      if (!mysqli_query($con,$query)) 
      {  
           die('Error: ' . mysqli_error($con)); 
      } 
}

?>

2 个解决方案

#1

you problem is about single quotes in your variable used in mysql

你的问题是关于mysql中使用的变量中的单引号

so escape them like this before use in mysql

所以在使用mysql之前就这样逃避它们

 $check_supc = $check_over['c_supervisor'];  
 $check_supc1 = var_export($check_supp,true); 

 $last_val1 = mysqli_real_escape_string($con, $last_val1);  // use this line
 $check_supc1 = mysqli_real_escape_string($con, $check_supc1); // use this line

 $query = "INSERT INTO supervisorattendance (meetid, sup_no, supnote, supvalidate, supprephour, validateon) VALUES ('$last_val1', '$check_supc1', NULL, 'Pending', NULL, NULL)";

#2

var_export tries to generate a string that's valid as PHP code. Among other things, this means that if your content is a string, it'll get quotes around it. Since you're also adding quotes while you're cobbling your SQL, you end up with something like ...''$check_supp1'', NULL, 'Pending', NULL, NULL).

var_export尝试生成一个有效的PHP代码字符串。除此之外,这意味着如果你的内容是一个字符串,它会得到它周围的引号。既然你在编写SQL时也添加了引号,那么你最终会得到类似......''$ check_supp1'',NULL,'Pending',NULL,NULL)。

Unless you have a good reason for using var_export here (and i'm about 94% certain you don't), get rid of it. Use mysqli_real_escape_string to make stuff safer for a MySQL query.

除非你有充分的理由在这里使用var_export(并且我大约有94%肯定你不这样做),否则摆脱它。使用mysqli_real_escape_string为MySQL查询提供更安全的东西。

Or, if there's nothing but that number, you can use intval to make sure it's always a number.

或者,如果只有该数字,您可以使用intval确保它始终是一个数字。

Or, learn to use prepared statements. :P They can handle most of this stuff automatically.

或者,学习使用预准备语句。 :P他们可以自动处理大部分这些东西。

#1