使用PHP将表单数据传递到MySQL数据库

时间:2013-04-19 18:20:50

标签: php html mysql forms

我无法传递以下表单数据:

<form method="post" action="form.php" id="contact" enctype="multipart/form-data">
        <fieldset>
        <legend>Contact Us</legend>
        <div id="conleft">
        <label>First Name:</label><input type="text" name="firstName" required />
        <label>Last Name:</label><input type="text" name="lastName" required />
        <label>House/Flat No:</label><input type="text" name="houseNum"  />
        <label>Address:</label><input type="text" name="address" />
        <label>Town/City:</label> <input type="text" name="city" />
        <label>Postcode:</label> <input type="text" name="postcode" />
        <label>Telephone:</label> <input type="tel" name="telephone" />
        <label>Email:</label> <input type="email" name="email" required />
        </div>
        <div id="conright">
        <label>Enquiry:</label><textarea name="description" rows="13" required ></textarea>
        <label>Date:</label><input type="month" name="date" /><br /><br />
        <input type="submit" name="submit" value="Send" />
        <input type="reset" name="Reset" value="Reset" />
        <input type="hidden" name="customerNo" />
        <input type="hidden" name="enquiryNo" />
        <input type="radio" name="type" value="customer" checked />
        </div>
        </fieldset>
    </form>

使用以下PHP到MySQL数据库

<?php
$con=mysqli_connect("localhost", "root", "myuser","mypass");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

$sql1="INSERT INTO customers (NULL, firstName, lastName, houseNum, address, city, postcode, telephone, email, type)
VALUES ('$_POST[customerNo]','$_POST[firstName]','$_POST[lastName]','$_POST[houseNum]','$_POST[address]','$_POST[city]','$_POST[telephone]', '$_POST[postcode]''$_POST[email]','$_POST[type]')";

mysqli_query($con,$sql1);

$sql2="INSERT INTO enquiry (NULL, customerNo, description, date)
VALUES ('$_POST[enquiryNo]','$_POST[customerNo]','$_POST[description]','$_POST[lastName]','$_POST[date]')";

mysqli_query($con,$sql2);

echo "<script language=javascript>window.location = 'thanks.html';</script>";

mysqli_close($con);
?>

网页就像表单数据已经通过在提交时显示thank.html页面一样发送,但数据库中没有填充数据。我设置了AUTO INCREMENT,PRIMARY和FOREIGN键,这是我尝试传递值的方式吗?

4 个答案:

答案 0 :(得分:1)

尝试更改第一个查询,如下所示:

$sql1="INSERT INTO customers (customerNo,firstName, lastName, houseNum, address, city, postcode, telephone, email, type)VALUES('{$_POST['customerNo']}','{$_POST['firstName']}','{$_POST['lastName']}','{$_POST['houseNum']}','{$_POST[address]}','{$_POST['city']}', '{$_POST['postcode']}','{$_POST['telephone']}','{$_POST['email']}','{$_POST['type']}')";

和第二个查询如下:

$sql2="INSERT INTO enquiry (enquiryNo,customerNo, description,lastname,date)VALUES('{$_POST['enquiryNo']}','{$_POST['customerNo']}','{$_POST['description']}','{$_POST['lastName']}','{$_POST['date']}')";

试试并告诉我结果:)

答案 1 :(得分:1)

首先,您需要检查已发布的SQL注入输入。

但如果你这样做,那么它应该可行

   $sql1="INSERT INTO customers (NULL, firstName, lastName, houseNum, address, city, postcode, telephone, email, type) VALUES ('". $_POST['customerNo'] ."','".$_POST['firstName'] ."','".$_POST['lastName'] ."','".$_POST['houseNum'] ."','". $_POST['address'] ."','". $_POST['city'] ."','". $_POST['telephone'] ."', '". $_POST['postcode'] ."','". $_POST['email'] ."','". $_POST['type'] ."')";

mysqli_query($con,$sql1) or die(print_r(mysqli_error()));

对于一个简单的SQL注入清洁剂,我使用它,

function scrubSQL($con,$string)
{

     $string = htmlspecialchars(strip_tags(trim($string)));
     $string = str_replace("'","",$string);
     $string = mysqli_real_escape_string($con,$string);

     return $string;        

}

答案 2 :(得分:0)

使用'".$_POST['customerNo']."'代替'$_POST[customerNo]'以及$_POST命令中所有INSERT值的类似内容

编辑1:

似乎customerNOenquiryNo是自动增量列。所以

$sql1="INSERT INTO customers (NULL, firstName, lastName, houseNum, address, city, postcode, telephone, email, type)
VALUES ('$_POST[customerNo]','$_POST[firstName]','$_POST[lastName]','$_POST[houseNum]','$_POST[address]','$_POST[city]','$_POST[telephone]', '$_POST[postcode]''$_POST[email]','$_POST[type]')";

应该是

$sql1="INSERT INTO customers (customerNo, firstName, lastName, houseNum, address, city, postcode, telephone, email, type)
VALUES (NULL,'$_POST[firstName]','$_POST[lastName]','$_POST[houseNum]','$_POST[address]','$_POST[city]','$_POST[telephone]', '$_POST[postcode]''$_POST[email]','$_POST[type]')";

mysqli_query($con,$sql1);
$customerNO=mysql_insert_id();

然后

$sql2="INSERT INTO enquiry (NULL, customerNo, description, date)
VALUES ('$_POST[enquiryNo]','$_POST[customerNo]','$_POST[description]','$_POST[lastName]','$_POST[date]')";

应该是

$sql2="INSERT INTO enquiry (enquiryNO, customerNo, description, date)
VALUES (NULL,'$customerNo','$_POST[description]','$_POST[lastName]','$_POST[date]')";

答案 3 :(得分:0)

看起来您正试图在NULL列中插入一个值,这可能是ID或No列?我假设您的主键是customerNo和enquiryNo,请尝试下面的代码:

$sql1 = "INSERT INTO customers (firstName, lastName, houseNum, address, city, postcode, telephone, email, type) VALUES ('$_POST[firstName]','$_POST[lastName]','$_POST[houseNum]','$_POST[address]','$_POST[city]','$_POST[telephone]', '$_POST[postcode]''$_POST[email]','$_POST[type]')";
mysqli_query($con, $sql1) or die('Query 1 Failed: '.mysqli_error($con));

$customer_no = mysqli_insert_id($con);

$sql2 = "INSERT INTO enquiry (customerNo, description, date) VALUES ('$customerNo','$_POST[description]','$_POST[lastName]','$_POST[date]')";
mysqli_query($con, $sql2) or die('Query 2 Failed: '.mysqli_error($con));

要获取新插入记录的主键,您可以使用mysqli_insert_id()

如果查询失败,我还添加了一些error trapping。我建议您查看prepared statements,因为这些将有助于保护您的数据库免受SQL注入攻击。

相关问题
最新问题