我有一个表单:
<table border="1">
<tr>
<td align="center">Form Input Employees Data</td>
</tr>
<tr>
<td>
<table>
<form method="post" action="input.php">
<input type="hidden" name="id" value="1234">
<tr>
<td>Product Name</td>
<td><input type="text" name="name" size="20">
</td>
</tr>
<tr>
<td>Brand</td>
<td><input type="text" name="brand" size="40">
</td>
</tr>
<tr>
<td></td>
<td align="right"><input type="submit" name="submit" value="Sent"></td>
</tr>
</form>
</table>
我的input.php是:
<?
//the example of inserting data with variable from HTML form
//input.php
mysql_connect("localhost","xxx","xxx");//database connection
mysql_select_db("xxxx_xxx");
//inserting data order
$order = "INSERT INTO wp_userdata
(id, product_name, product_brand)
VALUES
('$_POST[id]',
'$_POST[name]',
'$_POST[brand]')";
//declare in the order variable
$result = mysql_query($order); //order executes
if($result){
echo("<br>Input data is succeed");
} else{
echo("<br>Input data is fail");
}
?>
当我点击send按钮时,数据库表中添加了新行,但只记录了product_name
和product_brand
。隐藏的输入"id"值不会进入表…
如何让它记录所有3个值:id
, product_name
和product_brand
?
我看到一些引号缺失,我强烈建议您将cast
(强制)id为整数,并使用mysql_real_escape_string
对字符串项。否则,如果有人想要伤害,他可以编辑您隐藏的HTML输入字段并读出您的数据库。阅读更多信息
我也建议你不要在SQL查询中使用$_POST
变量。倒不如尝试为它使用一个专用的数组,这样您就知道它已经针对SQL注入进行了处理,但您也可能希望在使用它之前对数据做更多的处理。在我看来,修改$_POST
变量是一个不好的做法。只要让$_POST
保持原样即可。更容易调试问题。并修改数组的副本。
第三;不如使用PHP MySQLi函数(或PDO),因为旧的函数已被弃用。
input.php
//input.php
$sqli_handle = mysqli_connect("localhost","xxx","xxx");//database connection
mysqli_select_db($sqli_handle, "xxxx_xxx");
//convert the POST data to safe DB data
$data = $_POST;
$data['id'] = (int)$data['id'];
$data['name'] = mysqli_real_escape_string($sqli_handle, $data['name']);
$data['brand'] = mysqli_real_escape_string($sqli_handle, $data['brand']);
//inserting data order
$order = "INSERT INTO wp_userdata
(id, product_name, product_brand)
VALUES
('".(int).$data['id']."',
'".$data['name']."',
'".$data['brand']."')";
$result = mysqli_query($sqli_handle, $order);
if($result){
echo("<br>Input data is succeed");
}
else{
echo("<br>Input data is fail");
}
在您的input.php文件中,您必须使用变量插值,执行以下操作:
$id = (int) $_POST[id]; // Cast this to int because, I think you must have integer type date for ID column in your database
$order = "INSERT INTO wp_userdata
(id, product_name, product_brand)
VALUES ({$id}, {$_POST[name]}, {$_POST[brand]})";
有关插值的更多信息-请点击此链接:PHP变量插值与连接
做以下更改
$order = "INSERT INTO wp_userdata .(id, product_name, product_brand)值("$ _POST [mycustomid]。",’"。$ _POST[名字]。",’"。$ _POST[品牌]。")";
有时几个关键字被wordpress保留,请检查我的代码