我有这个基本的php插入脚本工作良好,它将插入表单完美一旦用户点击提交。但是,由于某些原因,当用户在点击提交之前访问页面时,它也会提交一条记录。在用户做任何事情之前,它就会在顶部显示"进入成功"。数据库中会有一个空白记录。为什么会发生这种情况?
作为附加问题…我可以防止sql注入购买简单地添加一些mysql_escape代码的各个部分?这是一个WordPress页面,所以有必要吗?
<?php
$user_ID = get_current_user_id();
$hostname = "******";
$username = "******";
$dbname = "******";
$password = "*****";
//Connecting to your database
mysql_connect($hostname, $username, $password) OR DIE ("Unable to
connect to database! Please try again later.");
mysql_select_db($dbname);
// Get values from form
$genre = $_POST['genre'];
$movie_name = $_POST['movie_name'];
$movie_text = $_POST['movie_text'];
$query = "INSERT INTO movies (ID, genre, movie_name, movie_text) VALUES
('$user_ID','$genre','$story_name','$story_text')";
$result = mysql_query($query);
if($result)
{
echo("
Entry Succesful");
}
else
{
echo("
failed to start");
}
?>
Get started!
<br><br>
<form name="movie" action="" method="post">
What type of movie? <select name="genre">
<option value="">Select...</option>
<option value="Comedy">Comedy</option>
<option value="Drama">Drama</option>
</select>
Name of Movie: <input type="text" size="55" name="movie_name">
<textarea rows="30" cols="80" name="movie_text" rows="4"></textarea>
<input type="submit" name="submit" id="submit" value="Add movie" />
</form>
"然而,由于某些原因,当用户在点击提交之前访问页面时,它也会提交一条记录。"
将代码包装在(if) isset()条件语句中,使用(命名的)提交按钮作为引用:
<?php
if(isset($_POST['submit'])){
$user_ID = get_current_user_id();
...
else
{
echo("
failed to start");
}
} // end brace for if(isset($_POST['submit']))
?>
Get started!
<br><br>
<form name="movie" action="" method="post">
<input type="submit" name="submit" id="submit" value="Add movie" />
...
</form>
对于SQL注入,请访问:
- 如何在PHP中防止sql注入?
堆栈。
您需要检查用户是否点击提交按钮,否则php脚本将在每次运行页面或请求页面时执行。你可以用isset来验证。试试下面的代码
<?php
if(isset($_REQUEST['submit']))
{
$user_ID = get_current_user_id();
$hostname = "******";
$username = "******";
$dbname = "******";
$password = "*****";
//Connecting to your database
mysql_connect($hostname, $username, $password) OR DIE ("Unable to
connect to database! Please try again later.");
mysql_select_db($dbname);
// Get values from form
$genre = $_POST['genre'];
$movie_name = $_POST['movie_name'];
$movie_text = $_POST['movie_text'];
$query = "INSERT INTO movies (ID, genre, movie_name, movie_text) VALUES
('$user_ID','$genre','$story_name','$story_text')";
$result = mysql_query($query);
if($result)
{
echo("
Entry Succesful");
}
}
其他{回声("启动失败");}?>
Get started!
<br><br>
<form name="movie" action="" method="post">
What type of movie? <select name="genre">
<option value="">Select...</option>
<option value="Comedy">Comedy</option>
<option value="Drama">Drama</option>
</select>
Name of Movie: <input type="text" size="55" name="movie_name">
<textarea rows="30" cols="80" name="movie_text" rows="4"></textarea>
<input type="submit" name="submit" id="submit" value="Add movie" />
</form>
希望有帮助