这是我的html页面:
<form method="post">
<input type="hidden" name="user" readonly="readonly" value="<?php echo $session->username;?>">
<input placeholder="TAS Code" class="input-text" type="text" name="customerCode" id="name" />
<textarea type="text" placeholder="Comments" style="width: 500px;" wrap="hard" class="input-text" name="comments" id="email"/></textarea>
<input type="submit" value="Submit" class="btn-u btn-u-small" name="submit" id="comment-submit" />
</form>
这是在提交时运行 web .php 的 Java 脚本
$(document).ready(function() {
$('form').submit(function(msg) {
$.post("web.php",$(this).serialize(),function(data){
});
$( 'form' ).each(function(){
this.reset();
});
return false;
最后是我的网络.php来处理表单内容。
$mysqli =mysqli_connect("localhost","pf_sales","pfsal3s","pf_sales");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s'n", mysqli_connect_error());
exit();
}
$webbox = $_POST['web'];
$codebox=$_POST['customerCode'];
$commentbox=$_POST['comments'];
$discount=$_POST['discount'];
$task=$_POST['taskbox'];
$clear=$_POST['clearbox'];
$user=$_POST['user'];
if ($codebox !="" && $commentbox !="" && $webbox!="" && $discount!="")
{
$query = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET web = ('$_POST[web]'),discount=('$_POST[discount]') where customerCode = ('$_POST[customerCode]');";
/* execute multi query */
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s'n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------'n");
}
} while ($mysqli->next_result());
}
/* close connection */
$mysqli->close();
}
if ($codebox !="" && $commentbox !="" && $webbox!="")
{
$query = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET web = ('$_POST[web]') where customerCode = ('$_POST[customerCode]');";
/* execute multi query */
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s'n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------'n");
}
} while ($mysqli->next_result());
}
/* close connection */
$mysqli->close();
}
if ($codebox !="" && $commentbox !="" && $task!="")
{
$query = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET taskFor=('$_POST[taskbox]') where customerCode = ('$_POST[customerCode]');";
/* execute multi query */
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s'n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------'n");
}
} while ($mysqli->next_result());
}
/* close connection */
$mysqli->close();
}
else if ($codebox!="" && $commentbox!="" && $user!="")
{
$query ="INSERT INTO commentstable (user, customerCode, comments) VALUES ('$_POST[user]', '$_POST[customerCode]', '$_POST[comments]');";
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s'n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------'n");
}
} while ($mysqli->next_result());
}
$mysqli->close();
}
else if ($codebox!="" && $webbox!="" )
{
$query ="UPDATE webdiscount SET web = ('$_POST[web]') where customerCode = ('$_POST[customerCode]');";
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s'n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------'n");
}
} while ($mysqli->next_result());
}
$mysqli->close();
}
else if ($codebox!="" && $discount!="" )
{
$query ="UPDATE webdiscount SET discount=('$_POST[discount]') where customerCode = ('$_POST[customerCode]'); ";
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s'n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------'n");
}
} while ($mysqli->next_result());
}
$mysqli->close();
}
else if ($codebox !="" && $task!="")
{
$query = "UPDATE webdiscount SET taskFor=('$_POST[taskbox]') where customerCode = ('$_POST[customerCode]');";
/* execute multi query */
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s'n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------'n");
}
} while ($mysqli->next_result());
}
/* close connection */
$mysqli->close();
}
else if ($codebox !="" && $clear=="done")
{
$query = "UPDATE webdiscount SET taskFor='' where customerCode = ('$_POST[customerCode]');";
/* execute multi query */
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s'n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------'n");
}
} while ($mysqli->next_result());
}
/* close connection */
$mysqli->close();
因此,当我们放置 TAScode 和注释时,它应该更新注释表。只要我们不在文本中使用单引号',它就可以正常工作。即,如果我们写"我们没有这样做",那么表单不会更新数据库。
任何帮助将不胜感激。谢谢
问题是因为您将未转义的单引号传递给 SQL 查询。例如,如果$_POST['customerCode']
包含We didn't do this
则查询将如下所示:
INSERT INTO commentstable (customerCode, comments) VALUES ('We didn't do this', '…')
您看到破坏 SQL 语句的额外引号了吗?您可以通过切换到预准备语句来使用 mysqli::real_escape_string
或更好的语句来防止这种情况。您的查询将如下所示:
$query = "INSERT INTO commentstable (customerCode, comments) VALUES (?, ?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param('is', $_POST['customerCode'], $_POST['comments']);
$stmt->execute();
顺便说一句,您应该真正使用 isset
或 empty
检查这些 POST 变量是否存在,否则如果不传递这些变量,您将收到错误。
使用 mysqli_real_escape_string()
$comments = mysqli_real_escape_string($mysqli, $_POST['comments']);
$customerCode = mysqli_real_escape_string($mysqli, $_POST['customerCode']);
$query = "INSERT INTO commentstable (customerCode, comments) VALUES ('$customerCode', '$comments');";
$web = mysqli_real_escape_string($mysqli, $_POST['web']);
$discount = mysqli_real_escape_string($mysqli, $_POST['discount']);
$query .= "UPDATE webdiscount SET web = ('$web'),discount=('$discount') where customerCode = ('$customerCode');";
使用mysqli_real_escape_string()
阅读本文
所以代码将是
$codebox=mysqli_real_escape_string($con, $_POST['customerCode']);
等。。。