Question

我有一个包含一些复选框的表单，在其中一个复选框中，它包含一个'Liberal Democrats'的值。一旦我将其提交到数据库，该值就不会被记录，因为它中有一个空格。我该如何解决这个问题？以下是我的表格中的相关内容：

    <label>Party Standing For Election</label>
  <input name="Conservatives" type="checkbox" value="Conservatives" /> Conservative
  <input name="Liberal Democrats" type="checkbox" value="Liberal Democrats" /> Liberal Democrats
  <input name="Labour" type="checkbox" value="Labour"  /> Labour

它转到这个php页面：

    <?php

$name = $_REQUEST['name'];
$date = $_REQUEST['date'];
$month = $_REQUEST['month'];
$year = $_REQUEST['year'];
$labour = $_REQUEST['Labour'];
$libdems = $_REQUEST['Liberal Democrats'];
$conservatives = $_REQUEST['Conservatives'];


$con = mysql_connect("****************************");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db('******', $con);

$sql="INSERT INTO elections (name_of_election, date, month, year, party1, party2, party3) VALUES ('$name','$date', '$month','$year','$labour', '$libdems', '$conservatives')";

if (!mysql_query($sql,$con))
  {
        die('Error: ' . mysql_error());
  }
  else 
  {
      echo '<h2>An Election Has Been Created</h2>';

  }
?>

帮助？

Answer 1

关注@ seanbreeden解决主要问题的答案，但进行以下更改以保护您的表单免受@CanSpice的SQL注入：

$name = mysql_real_escape_string($_REQUEST['name']);
$date = mysql_real_escape_string($_REQUEST['date']);
$month = mysql_real_escape_string($_REQUEST['month']);
$year = mysql_real_escape_string($_REQUEST['year']);
$labour = mysql_real_escape_string($_REQUEST['Labour']);
$libdems = mysql_real_escape_string($_REQUEST['LiberalDemocrats']);    // with updated change
$conservatives = mysql_real_escape_string($_REQUEST['Conservatives']);
// ...
$sql="INSERT INTO elections (`name_of_election`, `date`, `month`, `year`, `party1`, `party2`, `party3`) VALUES ('$name','$date', '$month','$year','$labour', '$libdems', '$conservatives')";

Answer 2

任何人都可以编辑网页的HTML，将任意字符串放入您的应用程序中，即使您没有为它们提供简单的方法。通过网络发送给您的任何数据即使您认为您控制了发件人，也应被视为敌对。

如何将空间发送到MySQL数据库

2 个答案: