所以我尝试使用PDO来阻止sql注入,但在运行我的代码之后,数据不会输入到数据库中。如果有人能找到错误,我将非常感激。
header("location:employees.php");
$connect = mysql_connect("localhost","root","");
if(!$connect){
die(mysql_error($connect));
}
mysql_select_db("employees",$connect) or die(mysql_error());
$dbConnection = new PDO('mysql:dbname=employees;host=localhost;', 'localhost', '');
$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$name = $_POST['name'];
$position = $_POST['position'];
$wage = $_POST['wage'];
$preparedStatement = $db->prepare('INSERT INTO employees (name, position, wage) VALUES (:name, :position, :wage)');
$preparedStatement->execute(array(':name' => $name,':position' => $position,':wage' => $wage));
mysql_query($preparedStatement);
我没有收到任何错误或任何错误,但用户没有输入数据库。
答案 0 :(得分:2)
您在这里混合概念:使用PDO或mysql_函数:
header("location:employees.php");
$dbConnection = new PDO('mysql:dbname=employees;host=localhost;', 'localhost', '');
$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$name = $_POST['name'];
$position = $_POST['position'];
$wage = $_POST['wage'];
$preparedStatement = $db->prepare('INSERT INTO employees (name, position, wage) VALUES (:name, :position, :wage)');
$preparedStatement->execute(array(
':name' => $name,
':position' => $position,
':wage' => $wage
));