肖恩, php代码:
<?php
$name = $_POST["name"];
echo $name;
if (is_array($_POST["categories"]))
{
foreach ($_POST["categories"] as $col)
echo "<BR>\n".$col;
}
else
echo "<BR>no color was chosen.";
$pdo= new PDO('mysql:host=localhost;dbname=ronre', 'roon', 'abc12345');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$pdo->exec('SET NAMES "utf8"');
$tbl_cols = array("Lifestyle","Beauty","Business"); // column names in roller table.
if (is_array($_POST["categories"])){ // check if array
foreach ($_POST["categories"] as $col){ // loop through each $_POST["categories"]
if(in_array($col,$tbl_cols)){ // make sure it is safe by whitelisting it
$pdo->prepare("INSERT INTO roller (`$col`) VALUES (?) ");
$pdo->execute(array($_POST['name']));
}
}
}
exit();
?>
我得到了问题:致命错误:在/ Users / ronr ....中调用未定义的方法PDO :: execute()
答案 0 :(得分:1)
您没有执行查询 -
$sql="INSERT INTO roller
('$col') VALUES ('$_POST[name]') ";
此外,由于您使用的是PDO
,因此应使用预准备语句来阻止SQL注入。
由于列不能在预准备语句中使用,因此您需要将其列入白名单。见Reference - frequently asked questions about PDO
$query = $pdo->prepare("INSERT INTO roller (`$col`) VALUES (?) ");
$query->execute(array($_POST['name']));
修改
如果您想将$_POST["name"]
插入每个表格列($_POST["categories"]
),您可以执行以下操作 -
<?php
$pdo= new PDO('mysql:host=localhost;dbname=ronre', 'roon', 'abc12345');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$pdo->exec('SET NAMES "utf8"');
$tbl_cols = array("col1","col2","col3", ...); // column names in roller table.
if (is_array($_POST["categories"])){ // check if array
foreach ($_POST["categories"] as $col){ // loop through each $_POST["categories"]
if(in_array($col,$tbl_cols)){ // make sure it is safe by whitelisting it
$query = $pdo->prepare("INSERT INTO roller (`$col`) VALUES (?) ");
$query->execute(array($_POST['name']));
}
}
}
exit();
?>
或者如果你想在一个查询中进行,而不是在循环中,尝试类似 -
<?php
$pdo= new PDO('mysql:host=localhost;dbname=ronre', 'roon', 'abc12345');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$pdo->exec('SET NAMES "utf8"');
$tbl_cols = array("col1","col2","col3", ...); // column names in roller table.
if (is_array($_POST["categories"])){ // check if array
foreach ($_POST["categories"] as $col){ // loop through each $_POST["categories"]
if(in_array($col,$tbl_cols)){ // make sure it is safe by whitelisting it
$cols[]=$col; // create an array of safe column names
}
}
}
$name = array_fill(0, count($cols), $_POST['name']); // create an array of $_POST['name'] with same amount as $cols
$num_of_vals = str_repeat('?,', count($cols) - 1) . '?'; // create n number of ? same as $cols / $name
$cols = implode("`, `", $cols); // implode the $cols to get a csv of $cols
$query = $pdo->prepare("INSERT INTO roller (`$cols`) VALUES ($num_of_vals) ");
$query->execute(array($name));
exit();
?>
答案 1 :(得分:0)
我看到的错误如下
应该是
$sql="INSERT INTO roller
('$col') VALUES ('{$_POST['name']}') ";
OR
$sql="INSERT INTO roller
('$col') VALUES ('".$_POST['name']."') ";