有没有办法可以格式化列表,以便我可以通过SQL插入它?
我当前的列表格式为test:test
,我希望能够对其进行格式化,以便将其插入到我的数据库中。
INSERT INTO `test` (`user`, `file`) VALUES
('test', 'test'),
('test2', 'test2'),
('test@test3.com', 'test3');
这有可能吗?
<?
if($_POST['oldlist']){
$sql = "SELECT * FROM test WHERE user='$_POST[oldlist]'";
$result = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($result) > 0) { echo "exists";} else {
$sqlq = "INSERT INTO test (`user` ,`file`)
VALUES ('$_POST[oldlist]');";
$add = mysql_query($sqlq) or die(mysql_error());
if($add){echo "done";}else {echo "failed";}
}}
?>
那是什么意思?我希望能够发布一个列表并将其插入到我的数据库中,但必须先将其格式化。
答案 0 :(得分:2)
你的代码中有一个令人讨厌的SQL注入漏洞。确保你逃脱你的价值观!以下是我建议您转义代码并将其插入数据库的方法:
<?php
// Use isset to determine whether there is a value present
if(isset($_POST['oldlist'])){
$oldlist = $_POST['oldlist'];
// Escape your data. Makes sure someone inject code that can jack your DB
$oldlist_esc = mysql_real_escape_string($oldlist);
$sql = "SELECT * FROM test WHERE user='$oldlist_esc'";
$result = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($result) > 0)
echo "exists";
else {
// I'll assume your data is line-delimited
$oldlist = explode("\n", $oldlist);
$new_oldlist = $oldlist;
foreach($oldlist as $key=>$value) {
$new_oldlist[$key] = explode(" ", $value, 1); // I'll assume each line is space-delimited
// Escape the new data
foreach($new_oldlist[$key] as $new_key=>$new_value)
$new_oldlist[$kew_key] = mysql_real_escape_string($new_value);
}
$sqlq = "INSERT INTO test (`user` ,`file`) VALUES ";
// Build out the query
$c = 0;
foreach($new_oldlist as $value) {
if($c++ > 0) $sqlq .= ',';
$sqlq .= '("';
$sqlq .= implode('","', $value);
$sqlq .= '")';
}
$add = mysql_query($sqlq) or die(mysql_error());
if($add)
echo "done";
else
echo "failed";
}
}
?>
在字符串中使用变量(例如:“asdfasdf $ myvar asdfasdf”)是可以的,但请记住使用mysql_real_escape_string
来转义数据。这使用户不会注入如下数据:
';DELETE FROM test WHERE true;--
会有效地擦除您的数据库。希望这有帮助!
答案 1 :(得分:1)
如果$ _POST在数组中有一些配对值,请尝试用“:”扩展数组的每个元素,用单个插入的正确语法连接它们,然后将整个数组连接到多个插入:
<?
// Just added 'olduser' as it seemed to go with WHERE user=... , change to your needs
if($_POST['olduser'] && $_POST['oldlist']){
$sql = "SELECT * FROM test WHERE user='$_POST[olduser]'";
$result = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($result) > 0) { echo "exists";} else {
foreach ($_POST['oldlist'] as &$each)
{
$each = explode(":",$each);
$each = "('".join("','",$each)."')";
}
$_POST['oldlist'] = join(",",$_POST['oldlist']);
// no semi-colon at end
$sqlq = "INSERT INTO test (`user` ,`file`) VALUES $_POST[oldlist]";
$add = mysql_query($sqlq) or die(mysql_error());
if($add){echo "done";}else {echo "failed";}
}}
?>
无论如何,请小心你的陈述,即使是在本地使用,我也不会在没有消毒查询的情况下保留它。