这是代码中有问题的部分:
$query = mysql_query("INSERT INTO members
(user, pass, mail, country, city, www, credo)
VALUES ('$_POST[user]','$_POST[pass]', '$_POST[mail]',
'$_POST[country]', '$_POST[city]', '$_POST[www]', '$_POST[credo]')")
or die ("Error - Couldn't register user.");
我得到了模具错误
如何找到无法执行的更具体的部分?
我试图逐个消除字段 - 没有结果。
答案 0 :(得分:2)
这应该会告诉您查询失败的原因,并且至少可以防止出现一些安全问题:
小改进
// Run by each $_POST entry and set it to empty if not found
// Clean the value against tags and blank spaces at the edges
$dataArr = array();
foreach($_POST as $key => $value) {
$dataArr[$key] = ($value == "undefined") ? '' : strip_tags(trim($value));
}
// try to perform the INSERT query or die with the returned mysql error
$query = mysql_query("
INSERT INTO members
(user, pass, mail, country, city, www, credo)
VALUES (
'".$dataArr["user"]."',
'".$dataArr["pass"]."',
'".$dataArr["mail"]."',
'".$dataArr["country"]."',
'".$dataArr["city"]."',
'".$dataArr["www"]."',
'".$dataArr["credo"]."'
)
") or die ("Error:<br/>".mysql_error());
中等改善
// Run by each $_POST entry and set it to empty if not found
// Clean the value against tags and blank spaces at the edges
$dataArr = array();
foreach($_POST as $key => $value) {
$dataArr[$key] = ($value == "undefined") ? '' : strip_tags(trim($value));
}
// escape everything
$query = sprintf("
INSERT INTO members
(user, pass, mail, country, city, www, credo)
value ('%s', '%s', '%s', '%s', '%s', '%s', '%s')",
mysql_real_escape_string($dataArr["user"]),
mysql_real_escape_string($dataArr["pass"]),
mysql_real_escape_string($dataArr["mail"]),
mysql_real_escape_string($dataArr["country"]),
mysql_real_escape_string($dataArr["city"]),
mysql_real_escape_string($dataArr["www"]),
mysql_real_escape_string($dataArr["credo"])
);
// try to perform the INSERT query or die with the returned mysql error
$result = mysql_query($query) or die ("Error:<br/>".mysql_error());
高级改进
如果您正在开始一个新项目,或者您仍然可以改变您的方式,我会生动地建议使用PHP PDO来防止与您正在使用的当前数据库连接相关的许多安全问题。
答案 1 :(得分:0)
INSERT INTO members
(user, pass, mail, country, city, www, credo)
VALUES
('".$_POST['user']."','".$_POST['pass']."', '".$_POST['mail']."',
'".$_POST['country']."', '".$_POST['city']."', '".$_POST['www']."', '".$_POST['credo']."')")
只是一个简短的警告。将POST值直接插入数据库可能会导致安全漏洞。在将所有用户输入插入数据库之前,请务必验证并过滤所有用户输入。
答案 2 :(得分:0)
您的Sql查询错误。 这里
VALUES ('$_POST[user]')
你必须使用
$_POST['user']
您正在直接在数据库中插入值.. !!! 这是一个非常糟糕的感觉。让它逃脱
$user = mysql_real_escape_string(trim($_POST['user']));
$pass = mysql_real_escape_string(trim($_POST['pass']));
$mail = mysql_real_escape_string(trim($_POST['mail']));
$country = mysql_real_escape_string(trim($_POST['country']));
$city = mysql_real_escape_string(trim($_POST['city']));
$www = mysql_real_escape_string(trim($_POST['www']));
$credo = mysql_real_escape_string(trim($_POST['credo']));
然后将其插入数据库
$query = mysql_query("INSERT INTO members
(user, pass, mail, country, city, www, credo)
VALUES ($user,$pass, $mail,$country, $city, $www, $credo)")
or die ("Error - Couldn't register user.");
代码现在是安全的,可以插入数据库并且是一个干净的代码..