我有这个代码,这是从电子邮件给出的链接注册用户。ID和Email被表单获取并显示,然后检查是否有用户它会在字段中显示内容,这只是一个更新。现在我要做的是CREATE,因为给用户的链接中的ID还不存在。这是Register.php
文件中的代码<?php
load_function('database.php');
if(!empty($_GET['user_id']) && !empty($_GET['cbemail']))
{
$user_id = base64_decode($_GET['user_id']);
$email = base64_decode($_GET['cbemail']);
$employee = get_employee($user_id,$email);
}
/*$first_name = $_POST['first_name'];
$middle_name = $_POST['middle_name'];
$last_name = $_POST['last_name'];
$suffix = $_POST['suffix'];
$gender = $_POST['gender'];
$date_birth = $_POST['date_birth'];
$cbemail = $_POST['cbemail'];
$locality_id = $_POST['locality_id'];
$home_phone = $_POST['home_phone'];
$mobile_phone = $_POST['mobile_phone'];*/
?>
<div id="main-content">
<div id="emp_registrationform">
<form action="" method="post">
<table width="600" border="0">
<h1>Create Employee</h1>
<tr>
<td class="align-right"><label for="user_id">User</label>
<input type="text" name="user_id" id="user_id"
value="<?php if(isset($user_id)){echo $user_id ; } ?>"/></td>
</td>
</tr>
<tr>
<td class="align-right"><label for="first_name">First Name</label>
<input type="text" name="first_name" id="first_name" value='<?php echo $employee['first_name'] ?>'/></td>
<td><label for="birth_date">Birth Date</label>
<input type="text" name="birth_date" id="birth_date" value='<?php echo $employee['date_birth'] ?>'/></td>
</tr>
<tr>
<td class="align-right"><label for="middle_name">Middle Name</label>
<input type="text" name="middle_name" id="middle_name" value='<?php echo $employee['middle_name'] ?>'/></td>
<td><label for="cbemail">Email</label>
<input type="text" name="cbemail" id="cbemail"
value="<?php if(isset($email)){echo $email ; } ?>"/></td>
</tr>
<tr>
<td class="align-right"><label for="last_name">Last Name</label>
<input type="text" name="last_name" id="last_name" value='<?php echo $employee['last_name'] ?>'/></td>
<td><label for="locality_id">Locality ID</label>
<input type="text" name="locality_id" id="locality_id" value='<?php echo $employee['locality_id'] ?>'/></td>
</tr>
<tr>
<td class="align-right"><label for="suffix">Suffix</label>
<input type="text" name="suffix" id="suffix" value='<?php echo $employee['suffix'] ?>'/></td>
<td><label for="home_phone">Phone(Home)</label>
<input type="text" name="home_phone" id="home_phone" value='<?php echo $employee['home_phone'] ?>'/></td>
</tr>
<tr>
<td class="align-right"><label for="gender">Gender</label>
<select>
<option selected><?php echo $employee['gender'] ?></option>
<option value="male">Male</option>
<option value="female">Female</option>
</select></td>
<td><label for="mobile_phone">Phone(Mobile)</label>
<input type="text" name="mobile_phone" id="mobile_phone" value='<?php echo $employee['mobile_phone'] ?>'/></td>
</tr>
<td class="align-right">
<input type="submit" id="submit-btn" value="Create Employee" />
</td>
<td> </td>
</table>
</form>
</div>
</div>
我的问题是这个数据,是不被捕获时保存在数据库上。我在数据库中的功能如下。
function add_employee($user_id, $first_name, $middle_name, $last_name,
$suffix, $gender, $date_birth, $cbemail,
$locality_id, $home_phone, $mobile_phone) {
$db = load_db();
$sql = "INSERT into employees (
user_id, first_name, middle_name, last_name,
suffix, gender, date_birth, cbemail,
locality_id, home_phone, mobile_phone
) VALUES (
$user_id, $first_name, $middle_name, $last_name,
$suffix, $gender, $date_birth, $cbemail,
$locality_id, $home_phone, $mobile_phone
)";
$result = $db->query($sql);
}
是的,我需要POST,但我不知道如何在输入框的值字段中捕获"值"。
提交按钮将在这行代码中重定向。
if(isset($_POST['save_user'])){
add_employee($_POST['user_id'], $_POST['first_name'], $_POST['middle_name'], $_POST['last_name'],
$_POST['suffix'], $_POST['gender'], $_POST['date_birth'], $_POST['cbemail'],
$_POST['locality_id'], $_POST['home_phone'], $_POST['mobile_phone']);
有什么想法吗?我希望你能理解这个问题。
对于要存储在Mysql数据库中的字符串,您需要使用"(引号).
对于$_POST['first_name']这样的字符串,使用'$_POST['first_name']'
Btw尝试使用参数化查询也是安全的,
SQL中的字符串值必须加引号。你是在没有引用的情况下把数据倾倒进去。这是无效的SQL。
使用参数化查询,这些查询将自动引用您的数据,并对其进行转义,以消除巨大的SQL注入安全漏洞。
用这个
function add_employee($user_id, $first_name, $middle_name, $last_name,
$suffix, $gender, $date_birth, $cbemail,
$locality_id, $home_phone, $mobile_phone) {
$db = load_db();
$sql = "INSERT into employees (
user_id, first_name, middle_name, last_name,
suffix, gender, date_birth, cbemail,
locality_id, home_phone, mobile_phone
) VALUES (
'".$user_id."', '".$first_name."', '".$middle_name."', '".$last_name."',
'".$suffix."', '".$gender."', '".$date_birth."', '".$cbemail."',
'".$locality_id."', '".$home_phone."', '".$mobile_phone."'
)";
$result = $db->query($sql);
}
什么是if(isset($_POST['save_user'])){
我没有看到save_user
名称的任何字段。您应该将其更改为其他一些东西,可能是if(isset($_POST['user_id'])){
。此外,您还需要其他人提到的引号。