html表单到sql表 - html forms to sql table

我创建了一个名为"employee.php"的表单页面，用于接收用户数据。此外，我还有另一个名为SQLConnectionProcess.php的文件，其中包含将employee.php中的表单链接到sql表的代码。数据库名称为"employee information"，表名称为"employee info"。我使用phpmyadmin和XAMPP进行本地服务器测试。

employee.php代码：

<html>
<body>
<form name="EmployeeDatabase" action="SQLConnectionProcess.php" method="post">
<link rel="stylesheet" href="css.css">
<h1>EMPLOYEE DATABASE</h1>
Employe Card NO: <input type="text" name="cardNO" ><br><br>
Employee NO: <input type="text" name="employeeNO" ><br><br>
Employee Name: <input type="text" name="employeename"><br><br>
Nationality: <input type="text" name="nationality"><br><br>
Profession: <input type="text" name="profession"><br><br>
DOB: <input type="text" name="DOB"><br><br>
DOJ: <input type="text" name="DOJ"><br><br>
DOA(VisitVisa): <input type="text" name="DOA"><br><br>
Company Code: <input type="text" name="companycode"><br><br>
Sponsor Code: <input type="text" name="sponsorcode"><br><br>
Visa Type: <input type="text" name="visatype"><br><br>
Status: <input type="text" name="status"><br><br>
<input type="submit" name="formSubmit" value="Submit">
</form>
</body>
</html>

SQLConnectionProcess.php代码：

  <?php
if(isset($_POST['formSubmit'])){
  $cardNO= isset($_POST['cardNO']) ? $_POST['cardNO'] : 0;
  $employeeNO= isset($_POST['employeeNO']) ? $_POST['employeeNO'] : 0;
  $employeename= isset($_POST['employeename']) ? $_POST['employeename'] : "";
  $nationality= isset($_POST['nationality']) ? $_POST['nationality'] : "";
  $profession= isset($_POST['profession']) ? $_POST['profession'] : "";
  $DOB= isset($_POST['DOB']) ? $_POST['DOB'] : "";
  $DOJ= isset($_POST['DOJ']) ? $_POST['DOJ'] : "";
  $DOA= isset($_POST['DOA']) ? $_POST['DOA'] : "";
  $companycode = isset($_POST['companycode']) ? $_POST['companycode'] : 0;
  $sponsorcode= isset($_POST['sponsorcode']) ? $_POST['sponsorcode'] : 0;
  $visatype= isset($_POST['visatype']) ? $_POST['visatype'] : "";
  $status= isset($_POST['status']) ? $_POST['status'] : "";
  $con = mysqli_connect('localhost','root','','employee information');
  $sql = sprintf("INSERT INTO table_employee info(Employee Card NO,Employee NO,Employee Name,Nationality,Profession,DOB,DOJ,DOA(VisitVisa),Company Code,Sponsor Code,Visa Type,Status) VALUES ('','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')",$cardNO,$employeeNO,$employeename,$nationality,$profession,$DOB,$DOJ,$DOA,$companycode,$sponsorcode,$visatype,$status);
  mysqli_query($con,$sql);
}
?>

但当我从employee.php提交表格时，我会收到以下错误：

注意：未定义的变量：emplo‌yeeNOC： ''axamp''htdocs''test1''SQLConnectionProcess.php，第16行
注意：未定义变量：赞助商‌代码在C： ''axamp''htdocs''test1''SQLConnectionProcess.php，第16行

我找不到错误的来源。请帮助我

使用isset()来防止上述错误。

<?php
if(isset($_POST['formSubmit'])){
  $cardNO= isset($_POST['cardNO']) ? $_POST['cardNO'] : 0;
  $employeeNO= isset($_POST['employeeNO']) ? $_POST['employeeNO'] : 0;
  $employeename= isset($_POST['employeename']) ? $_POST['employeename'] : "";
  $nationality= isset($_POST['nationality']) ? $_POST['nationality'] : "";
  $profession= isset($_POST['profession']) ? $_POST['profession'] : "";
  $DOB= isset($_POST['DOB']) ? $_POST['DOB'] : "";
  $DOJ= isset($_POST['DOJ']) ? $_POST['DOJ'] : "";
  $DOA= isset($_POST['DOA']) ? $_POST['DOA'] : "";
  $companycode = isset($_POST['companycode']) ? $_POST['companycode'] : 0;
  $sponsorcode= isset($_POST['sponsorcode']) ? $_POST['sponsorcode'] : 0;
  $visatype= isset($_POST['visatype']) ? $_POST['visatype'] : "";
  $status= isset($_POST['status']) ? $_POST['status'] : "";
  $con = mysqli_connect('localhost','root','','employee information');
  $sql = sprintf("INSERT INTO employee_info info(EmployeeCardNO,EmployeeNO,EmployeeName,Nationality,Profession,DOB,DOJ,DOA(VisitVisa),CompanyCode,SponsorCode,VisaType,Status) VALUES ('','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')",$cardNO,$employeeNO,$employeename,$nationality,$profession,$DOB,$DOJ,$DOA,$companycode,$sponsorcode,$visatype,$status);
  mysqli_query($con,$sql);
}
?>

不要依赖客户端期望的数据。首先确保从$_POST阵列读取的每个数据都已设置。如果某个值不重要，则可以选择默认值。你可以用一个短函数来简化它

function get(&$var, $default = null)
{
  return isset($var) ? $var : $default;
}
$cardNO = get($_POST['cardNO'], 0);

如果没有所需的输入，则必须通知用户。

然后永远不要将来自不安全源（例如客户端）的字符串混合到SQL语句中。请改用事先准备好的语句。

$query_string = 'INSERT INTO `tablename` (`fieldname1`, `fieldname2`) VALUES (?,?);';
if($statement =  $mysqli_connection->prepare( $query_string ))
{ $statement->bind_param('s', $variable1);
  $statement->bind_param('s', $variable2);
  $statement->execute();
  // fetch the result...
}

有关更多信息，请参阅PHP手册。

模拟的准备好的语句应该由连接上的选项关闭，因为在其他情况下编码攻击仍然是可能的。

如果你需要访问一个在标识符中包含空格的数据库，你可以将这些空格括在后面：

SELECT * FROM `table name with whitespaces`;