使用mysql& amp;将数据插入数据库PHP

时间:2013-06-10 20:20:40

标签: php mysql phpmyadmin

肖恩, php代码:

<?php 
$name = $_POST["name"];
    echo $name;

if (is_array($_POST["categories"]))
{
 foreach ($_POST["categories"] as $col)
    echo "<BR>\n".$col;
}
else
 echo "<BR>no color was chosen.";

$pdo= new PDO('mysql:host=localhost;dbname=ronre', 'roon', 'abc12345');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
$pdo->exec('SET NAMES "utf8"');
$tbl_cols = array("Lifestyle","Beauty","Business"); // column names in roller table.
if (is_array($_POST["categories"])){ // check if array
 foreach ($_POST["categories"] as $col){  // loop through each $_POST["categories"]
          if(in_array($col,$tbl_cols)){ // make sure it is safe by whitelisting it
              $pdo->prepare("INSERT INTO roller (`$col`) VALUES (?) ");
              $pdo->execute(array($_POST['name']));
          }
 }
}
exit(); 
?>

我得到了问题:致命错误:在/ Users / ronr ....中调用未定义的方法PDO :: execute()

2 个答案:

答案 0 :(得分:1)

您没有执行查询 -

$sql="INSERT INTO roller
      ('$col') VALUES ('$_POST[name]') ";

此外,由于您使用的是PDO,因此应使用预准备语句来阻止SQL注入。 由于列不能在预准备语句中使用,因此您需要将其列入白名单。见Reference - frequently asked questions about PDO

$query = $pdo->prepare("INSERT INTO roller (`$col`) VALUES (?) ");
$query->execute(array($_POST['name']));

修改

如果您想将$_POST["name"]插入每个表格列($_POST["categories"]),您可以执行以下操作 -

<?php 
 $pdo= new PDO('mysql:host=localhost;dbname=ronre', 'roon', 'abc12345');
 $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
 $pdo->exec('SET NAMES "utf8"');
 $tbl_cols = array("col1","col2","col3", ...); // column names in roller table.
 if (is_array($_POST["categories"])){ // check if array
     foreach ($_POST["categories"] as $col){  // loop through each $_POST["categories"]
              if(in_array($col,$tbl_cols)){ // make sure it is safe by whitelisting it
                  $query = $pdo->prepare("INSERT INTO roller (`$col`) VALUES (?) ");
                  $query->execute(array($_POST['name']));
              }
     }
 }
 exit(); 
?>

或者如果你想在一个查询中进行,而不是在循环中,尝试类似 -

<?php 
 $pdo= new PDO('mysql:host=localhost;dbname=ronre', 'roon', 'abc12345');
 $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
 $pdo->exec('SET NAMES "utf8"');
 $tbl_cols = array("col1","col2","col3", ...); // column names in roller table.
 if (is_array($_POST["categories"])){ // check if array
     foreach ($_POST["categories"] as $col){  // loop through each $_POST["categories"]
              if(in_array($col,$tbl_cols)){ // make sure it is safe by whitelisting it
                          $cols[]=$col; // create an array of safe column names
              }
     }
 }
 $name = array_fill(0, count($cols), $_POST['name']); // create an array of $_POST['name'] with same amount as $cols
 $num_of_vals  = str_repeat('?,', count($cols) - 1) . '?'; // create n number of ? same as $cols / $name   
 $cols = implode("`, `", $cols); // implode the $cols to get a csv of $cols
 $query = $pdo->prepare("INSERT INTO roller (`$cols`) VALUES ($num_of_vals) ");
 $query->execute(array($name));
 exit(); 
?>

答案 1 :(得分:0)

我看到的错误如下

  1. 您没有执行查询
  2. 在您的查询中,您没有正确地安慰
  3. 应该是

    $sql="INSERT INTO roller
    ('$col') VALUES ('{$_POST['name']}') ";
    

    OR

    $sql="INSERT INTO roller
    ('$col') VALUES ('".$_POST['name']."') ";