我有这个代码,这是从电子邮件中给出的链接注册用户。因此,ID和电子邮件正在通过表单和显示进行GET,然后检查是否有用户然后它将在该字段上显示内容,然后它只是一个更新。现在我要做的是创建,因为提供给用户的链接中的ID尚不存在。这是名为Register.php
的文件中的代码<?php
load_function('database.php');
if(!empty($_GET['user_id']) && !empty($_GET['cbemail']))
{
$user_id = base64_decode($_GET['user_id']);
$email = base64_decode($_GET['cbemail']);
$employee = get_employee($user_id,$email);
}
/*$first_name = $_POST['first_name'];
$middle_name = $_POST['middle_name'];
$last_name = $_POST['last_name'];
$suffix = $_POST['suffix'];
$gender = $_POST['gender'];
$date_birth = $_POST['date_birth'];
$cbemail = $_POST['cbemail'];
$locality_id = $_POST['locality_id'];
$home_phone = $_POST['home_phone'];
$mobile_phone = $_POST['mobile_phone'];*/
?>
<div id="main-content">
<div id="emp_registrationform">
<form action="" method="post">
<table width="600" border="0">
<h1>Create Employee</h1>
<tr>
<td class="align-right"><label for="user_id">User</label>
<input type="text" name="user_id" id="user_id"
value="<?php if(isset($user_id)){echo $user_id ; } ?>"/></td>
</td>
</tr>
<tr>
<td class="align-right"><label for="first_name">First Name</label>
<input type="text" name="first_name" id="first_name" value='<?php echo $employee['first_name'] ?>'/></td>
<td><label for="birth_date">Birth Date</label>
<input type="text" name="birth_date" id="birth_date" value='<?php echo $employee['date_birth'] ?>'/></td>
</tr>
<tr>
<td class="align-right"><label for="middle_name">Middle Name</label>
<input type="text" name="middle_name" id="middle_name" value='<?php echo $employee['middle_name'] ?>'/></td>
<td><label for="cbemail">Email</label>
<input type="text" name="cbemail" id="cbemail"
value="<?php if(isset($email)){echo $email ; } ?>"/></td>
</tr>
<tr>
<td class="align-right"><label for="last_name">Last Name</label>
<input type="text" name="last_name" id="last_name" value='<?php echo $employee['last_name'] ?>'/></td>
<td><label for="locality_id">Locality ID</label>
<input type="text" name="locality_id" id="locality_id" value='<?php echo $employee['locality_id'] ?>'/></td>
</tr>
<tr>
<td class="align-right"><label for="suffix">Suffix</label>
<input type="text" name="suffix" id="suffix" value='<?php echo $employee['suffix'] ?>'/></td>
<td><label for="home_phone">Phone(Home)</label>
<input type="text" name="home_phone" id="home_phone" value='<?php echo $employee['home_phone'] ?>'/></td>
</tr>
<tr>
<td class="align-right"><label for="gender">Gender</label>
<select>
<option selected><?php echo $employee['gender'] ?></option>
<option value="male">Male</option>
<option value="female">Female</option>
</select></td>
<td><label for="mobile_phone">Phone(Mobile)</label>
<input type="text" name="mobile_phone" id="mobile_phone" value='<?php echo $employee['mobile_phone'] ?>'/></td>
</tr>
<td class="align-right">
<input type="submit" id="submit-btn" value="Create Employee" />
</td>
<td> </td>
</table>
</form>
</div>
</div>
我的问题是这些数据,在保存数据库时没有被捕获。我在数据库中的功能如下。
function add_employee($user_id, $first_name, $middle_name, $last_name,
$suffix, $gender, $date_birth, $cbemail,
$locality_id, $home_phone, $mobile_phone) {
$db = load_db();
$sql = "INSERT into employees (
user_id, first_name, middle_name, last_name,
suffix, gender, date_birth, cbemail,
locality_id, home_phone, mobile_phone
) VALUES (
$user_id, $first_name, $middle_name, $last_name,
$suffix, $gender, $date_birth, $cbemail,
$locality_id, $home_phone, $mobile_phone
)";
$result = $db->query($sql);
}
是的我需要POST,但我不知道如何在输入框的值字段中捕获“值”。
提交按钮将在此行代码中重定向。
if(isset($_POST['save_user'])){
add_employee($_POST['user_id'], $_POST['first_name'], $_POST['middle_name'], $_POST['last_name'],
$_POST['suffix'], $_POST['gender'], $_POST['date_birth'], $_POST['cbemail'],
$_POST['locality_id'], $_POST['home_phone'], $_POST['mobile_phone']);
那么任何想法?我希望你能理解这个问题。
答案 0 :(得分:4)
对于要存储在Mysql数据库中的字符串,您需要使用&#39;&#39; (引号)。
对于像$ _POST [&#39; first_name&#39;]这样的字符串,请使用&#39; $ _ POST [&#39; first_name&#39;]&#39;
顺便说一下,尝试使用参数化查询也是安全的,
然后你应该好。
答案 1 :(得分:1)
必须引用SQL中的字符串值。您在不引用数据的情况下转储数据。这是无效的SQL。
使用paramaterized queries,这些会自动引用您的数据并将其转义以删除您庞大的SQL注入安全漏洞。
答案 2 :(得分:0)
使用此功能。
function add_employee($user_id, $first_name, $middle_name, $last_name,
$suffix, $gender, $date_birth, $cbemail,
$locality_id, $home_phone, $mobile_phone) {
$db = load_db();
$sql = "INSERT into employees (
user_id, first_name, middle_name, last_name,
suffix, gender, date_birth, cbemail,
locality_id, home_phone, mobile_phone
) VALUES (
'".$user_id."', '".$first_name."', '".$middle_name."', '".$last_name."',
'".$suffix."', '".$gender."', '".$date_birth."', '".$cbemail."',
'".$locality_id."', '".$home_phone."', '".$mobile_phone."'
)";
$result = $db->query($sql);
}
答案 3 :(得分:0)
什么是if(isset($_POST['save_user'])){
我看不到任何带有save_user
名称的字段。您应该将其更改为其他可能的内容if(isset($_POST['user_id'])){
此外,您还需要其他人提及的引号。