我将创建一个添加新闻的简单代码。。。(我的小项目)当我点击提交时,我会收到一条成功的文本,并重拨回页面,但没有添加任何数据,如果我将表单留空,则不会出现错误消息。
mysql_realescape_string能帮我省去一些麻烦吗?
<?php
include('connect_db.php');
if(isset($_POST['submit']))
{
$title = mysql_real_escape_string(htmlspecialchars($_POST['title']));
$text = mysql_real_escape_string(htmlspecialchars($_POST['text']));
if ($title == '' || $text == '')
{
// generate error message
$error = 'ERROR: Please fill in all required fields!';
}
$result = mysql_query("INSERT INTO news ('id', 'date', 'title', 'text')
VALUES ('NULL', NOW(),'$title','$text')",$conn);
echo "<b>Thank you!<br>You'll be redirected in (4) secs...";
echo "<meta http-equiv=Refresh content=4;url=add.php>";
} else {
echo "<form method='post' action='add.php'>
<legend>Add news</legend>
<label>Title</label>
<input type='text' name='title'>
<label>Text</label>
<textarea rows='5' name='text'></textarea>
<br />
<button type='submit' name='submit' class='btn'>Submit</button>
</form>";
}?>
NULL
是一个关键字,它不应该在引号中。
类似地,字段名应该包含在后引号`
中,而不是单引号'
中,并且为了一致性,还应该将表名包含在后括号中。
此外,看起来id
设置为AUTO_INCREMENT
,所以不需要将其设置为NULL
。如果date
是TIMESTAMP
(它应该是),那么您也可以设置DEFAULT CURRENT_TIMESTAMP
并将其从查询中删除。
$result = mysql_query("INSERT INTO `news` (`title`,`text`) VALUES ('$title','$text')");
您的代码有点未完成。
<?php
// connect to the database
include('connect_db.php');
if(isset($_POST['submit']))
{
// htmlspecialchars is needed when displaying HTML to the user from an input, not for inserting into a database. mysql_real_escape_string is plenty for this purpose.
$title = mysql_real_escape_string($_POST['title']);
$text = mysql_real_escape_string($_POST['text']);
if ($title == '' || $text == '')
{
// You have generated an error but you are not displaying it anywhere.
// generate error message
echo 'ERROR: Please fill in all required fields!';
// You will want to either send the error in a query string to this page again and display it above the form or re-echo the form here.
}else{
// Don't submit the data if there is an error.
// ID should be auto-increment in your database, don't set it here even if you set it NULL, you can also have MySQL apply the current time rather than here.
$result = mysql_query("INSERT INTO news (`title`, `text`)
VALUES ('$title','$text')");
echo "<b>Thank you!<br>You'll be redirected in (4) secs...";
echo "<meta http-equiv=Refresh content=4;url=add.php>";
}
} else {
echo "<form method='post' action='add.php'>
<legend>Add news</legend>
<label>Title</label>
<input type='text' name='title'>
<label>Text</label>
<textarea rows='5' name='text'></textarea>
<br />
<button type='submit' name='submit' class='btn'>Submit</button>
</form>";
}
?>