有一个简单的注册表单链接到一个php文件,以便将信息发送到数据库,但每次我尝试它的数据都不会显示在phpMyAdmin数据库中吗?
<?php
$name = $_POST['name'];
$address = $_POST['address'];
$number = $_POST['number'];
$email = $_POST['email'];
$details = $_POST['details'];
$user="root";
$password="secure";
$database="darrenweircharity";
mysql_connect("localhost",$user,$password);
@mysql_select_db($database) or die ("Unable to select database");
$query = "INSERT INTO registrationdetails(name, address, number, email, details)".
"VALUES('$name', '$address', '$number', '$email', '$details' NOW())";
mysql_query($query);
mysql_close();
?>
答案 0 :(得分:1)
Please, don't use mysql_* functions in new code。它们不再被维护,deprecation process已经开始了。请参阅red box?转而了解prepared statements,并使用PDO或MySQLi - this article将帮助您确定哪个。如果您选择PDO here is a good tutorial。
尝试:
$query = "INSERT INTO registrationdetails(name, address, number, email, details)".
"VALUES('" . $name . "', '" . $address . "', '" . $number . "', '" . $email . "', '" . $details . "');";
在查询结尾处有NOW(),不应该在那里。
另请注意,您的代码存在SQL注入漏洞(请参阅mysql_real_escape_string()),建议您通过PDO准备查询。
答案 1 :(得分:0)
防止可能的SQL注入:
$name = mysql_real_escape_string($name);
$address = mysql_real_escape_string($address);
$number = mysql_real_escape_string($number);
$email = mysql_real_escape_string($email);
$details = mysql_real_escape_string($details);
替换为:
$query = "
INSERT INTO registrationdetails (`name`, `address`, `number`, `email`, `details`)
VALUES ('$name', '$address', '$number', '$email', '$details')");
答案 2 :(得分:0)
$query = "
INSERT INTO registrationdetails (name, address, number, email, details, date_time)
VALUES ('{$name}', '{$address}', '{$number}', '{$email}', '{$details}', NOW())
";
将date_time替换为您的column_name。并且在将它们插入数据库之前,请记住使用mysql_real_escape_string转义所有提交的值。