$ _POST错误保存mysql数据库

时间:2013-05-16 09:49:07

标签: php mysql http-post

我有这个代码,这是从电子邮件中给出的链接注册用户。因此,ID和电子邮件正在通过表单和显示进行GET,然后检查是否有用户然后它将在该字段上显示内容,然后它只是一个更新。现在我要做的是创建,因为提供给用户的链接中的ID尚不存在。这是名为Register.php

的文件中的代码
<?php

    load_function('database.php');

    if(!empty($_GET['user_id']) && !empty($_GET['cbemail'])) 
    {
        $user_id = base64_decode($_GET['user_id']);
        $email = base64_decode($_GET['cbemail']);   

        $employee = get_employee($user_id,$email);

    }

        /*$first_name = $_POST['first_name'];
        $middle_name = $_POST['middle_name'];
        $last_name = $_POST['last_name'];
        $suffix = $_POST['suffix'];
        $gender = $_POST['gender'];
        $date_birth = $_POST['date_birth'];
        $cbemail = $_POST['cbemail'];
        $locality_id = $_POST['locality_id'];
        $home_phone = $_POST['home_phone'];
        $mobile_phone = $_POST['mobile_phone'];*/

?>

<div id="main-content">
    <div id="emp_registrationform">
      <form action="" method="post">
        <table width="600" border="0">
        <h1>Create Employee</h1>
          <tr>
            <td class="align-right"><label for="user_id">User</label>
            <input type="text" name="user_id" id="user_id" 
             value="<?php if(isset($user_id)){echo $user_id ; } ?>"/></td>
            </td>
          </tr>
          <tr>
            <td class="align-right"><label for="first_name">First Name</label>
              <input type="text" name="first_name" id="first_name" value='<?php echo $employee['first_name'] ?>'/></td>
            <td><label for="birth_date">Birth Date</label>
              <input type="text" name="birth_date" id="birth_date" value='<?php echo $employee['date_birth'] ?>'/></td>
          </tr>
          <tr>
            <td class="align-right"><label for="middle_name">Middle Name</label>
              <input type="text" name="middle_name" id="middle_name" value='<?php echo $employee['middle_name'] ?>'/></td>
            <td><label for="cbemail">Email</label>
              <input type="text" name="cbemail" id="cbemail" 
               value="<?php if(isset($email)){echo $email ; } ?>"/></td>
          </tr>
          <tr>
            <td class="align-right"><label for="last_name">Last Name</label>
              <input type="text" name="last_name" id="last_name" value='<?php echo $employee['last_name'] ?>'/></td>
            <td><label for="locality_id">Locality ID</label>
              <input type="text" name="locality_id" id="locality_id" value='<?php echo $employee['locality_id'] ?>'/></td>
          </tr>
          <tr>
            <td class="align-right"><label for="suffix">Suffix</label>
              <input type="text" name="suffix" id="suffix" value='<?php echo $employee['suffix'] ?>'/></td>
            <td><label for="home_phone">Phone(Home)</label>
              <input type="text" name="home_phone" id="home_phone" value='<?php echo $employee['home_phone'] ?>'/></td>
          </tr>
          <tr>
            <td class="align-right"><label for="gender">Gender</label>
              <select>
                <option selected><?php echo  $employee['gender'] ?></option>
                <option value="male">Male</option>
                <option value="female">Female</option>
              </select></td>
            <td><label for="mobile_phone">Phone(Mobile)</label>
              <input type="text" name="mobile_phone" id="mobile_phone" value='<?php echo  $employee['mobile_phone'] ?>'/></td>
          </tr>
           <td class="align-right">
              <input type="submit" id="submit-btn" value="Create Employee" />
           </td>
           <td>&nbsp;</td>
        </table>
      </form>
    </div>
  </div>

我的问题是这些数据,在保存数据库时没有被捕获。我在数据库中的功能如下。

function add_employee($user_id, $first_name, $middle_name, $last_name, 
                      $suffix, $gender, $date_birth, $cbemail, 
                      $locality_id, $home_phone, $mobile_phone) {
    $db   =  load_db();
    $sql = "INSERT into employees (
            user_id, first_name, middle_name, last_name, 
            suffix, gender, date_birth, cbemail,
            locality_id, home_phone, mobile_phone 
            ) VALUES (
            $user_id, $first_name, $middle_name, $last_name, 
            $suffix, $gender, $date_birth, $cbemail,
            $locality_id, $home_phone, $mobile_phone
            )";
    $result = $db->query($sql);
}

是的我需要POST,但我不知道如何在输入框的值字段中捕获“值”。

提交按钮将在此行代码中重定向。

if(isset($_POST['save_user'])){
    add_employee($_POST['user_id'], $_POST['first_name'], $_POST['middle_name'], $_POST['last_name'], 
                 $_POST['suffix'], $_POST['gender'], $_POST['date_birth'], $_POST['cbemail'], 
                 $_POST['locality_id'], $_POST['home_phone'], $_POST['mobile_phone']); 

那么任何想法?我希望你能理解这个问题。

4 个答案:

答案 0 :(得分:4)

对于要存储在Mysql数据库中的字符串,您需要使用&#39;&#39; (引号)。

对于像$ _POST [&#39; first_name&#39;]这样的字符串,请使用&#39; $ _ POST [&#39; first_name&#39;]&#39;

顺便说一下,尝试使用参数化查询也是安全的,

然后你应该好。

答案 1 :(得分:1)

必须引用SQL中的字符串值。您在不引用数据的情况下转储数据。这是无效的SQL。

使用paramaterized queries,这些会自动引用您的数据并将其转义以删除您庞大的SQL注入安全漏洞。

答案 2 :(得分:0)

使用此功能。

function add_employee($user_id, $first_name, $middle_name, $last_name, 
                  $suffix, $gender, $date_birth, $cbemail, 
                  $locality_id, $home_phone, $mobile_phone) {
$db   =  load_db();
$sql = "INSERT into employees (
        user_id, first_name, middle_name, last_name, 
        suffix, gender, date_birth, cbemail,
        locality_id, home_phone, mobile_phone 
        ) VALUES (
        '".$user_id."', '".$first_name."', '".$middle_name."', '".$last_name."', 
        '".$suffix."', '".$gender."', '".$date_birth."', '".$cbemail."',
        '".$locality_id."', '".$home_phone."', '".$mobile_phone."'
        )";
$result = $db->query($sql);
}

答案 3 :(得分:0)

什么是if(isset($_POST['save_user'])){我看不到任何带有save_user名称的字段。您应该将其更改为其他可能的内容if(isset($_POST['user_id'])){此外,您还需要其他人提及的引号。