PHP表单发布到MySQL数据库错误

时间:2014-01-08 23:44:28

标签: php mysql forms

我的网站上有一个工作表单,可以成功地将字段插入到MySQL数据库表中。我添加了一个新表,基本上复制了新表单的现有代码,并且收到错误。我已经调整了一堆并感到困惑。

以下是表格:

    <form action="contact.php" method="post">
    <input type="hidden" name="submitted" value="true" />

<fieldset>
    <label>First Name: <input type="text" name="firstname" required="" /> </label><br />
    <label>Last Name: <input type="text" name="lastname" required /> </label><br />
    <label>Email Address: <input type="text" name="email" required /> </label><br />
    <label>Anniversary Date: <input type="date" name="weddingdate" /> </label><br />
    <label>Birthday: <input type="date" name="birthday"  /> </label><br />
    <label>Business Name: <input type="text" name="business" /> </label><br />
    <label>Are You A Chamber Member?: <input type="radio" name="chamber" value="memyes">Yes   <input type="radio" name="chamber" value="memno"> No<br />
    <label>Comments: <input type="textarea" name="comments" rows="2" cols="50"> </label>
</fieldset>
<input type="submit" value="Enter Me In The Contest!" />
</form>

contact.php文件如下所示:

    if (isset($_POST['submitted'])) {
include('dbconnect.php');

$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$weddingdate = $_POST['weddingdate'];
$birthday = $_POST['birthday'];
$business = $_POST['business'];
$chamber = $_POST['chamber'];
$comments = $_POST['comments'];

$sqlinsert = "INSERT INTO contest (`firstname`, `lastname`, `email`, `weddingdate`, `birthday`,`business`, 'chamber', 'comments') VALUES ('$firstname', '$lastname', '$email', '$weddingdate', '$birthday', '$business', '$chamber', '$comments')";

if (!mysqli_query($dbcon, $sqlinsert)) {
    die('Error adding to database');    
}
header('Location: website omitted');
}

我知道它正确连接,我使用相同的连接脚本,并测试连接添加连接回显消息。

我使用此脚本获得的是“添加到数据库时出错”消息...

提前感谢您的建议和帮助!

4 个答案:

答案 0 :(得分:1)

您的两个INSERT列(chambercomments)都有单引号而不是反引号。

(.......`weddingdate`, `birthday`,`business`, 'chamber', 'comments')
                                              ^       ^  ^        ^

您目前用于输入的方法不安全,因此已合并mysqli_real_escape_string()函数。

$firstname = $_POST['firstname'];推荐)

$firstname= mysqli_real_escape_string($dbcon, $_POST['firstname']);(推荐)

NB:使用隐藏字段来检查它是否为isset并不总是一个好主意 - 您可能会在没有检查空字段的情况下获取空数据,这是您的没做。

您可以指定提交按钮并使用(isset($_POST['submit']))

例如:

<input type="submit" name="submit" value="Enter Me In The Contest!" />

然而,这完全取决于你。

PHP 

if (isset($_POST['submitted'])) {
include('dbconnect.php');

$firstname= mysqli_real_escape_string($dbcon, $_POST['firstname']);
$lastname= mysqli_real_escape_string($dbcon, $_POST['lastname']);
$email= mysqli_real_escape_string($dbcon, $_POST['email']);
$weddingdate= mysqli_real_escape_string($dbcon, $_POST['weddingdate']);
$birthday= mysqli_real_escape_string($dbcon, $_POST['birthday']);
$business= mysqli_real_escape_string($dbcon, $_POST['business']);
$chamber= mysqli_real_escape_string($dbcon, $_POST['chamber']);
$comments= mysqli_real_escape_string($dbcon, $_POST['comments']);


$sqlinsert = "INSERT INTO `contest` (`firstname`, `lastname`, `email`, `weddingdate`, `birthday`,`business`, `chamber`, `comments`) VALUES ('$firstname', '$lastname', '$email', '$weddingdate', '$birthday', '$business', '$chamber', '$comments')";

if (!mysqli_query($dbcon, $sqlinsert)) {
    die('Error adding to database');    
}
header('Location: website omitted');
}

答案 1 :(得分:0)

尝试删除列名称周围的引号,如下所示:

$sqlinsert = "INSERT INTO contest (firstname, lastname, email, weddingdate, birthday,business, chamber, comments) VALUES ('$firstname', '$lastname', '$email', '$weddingdate', '$birthday', '$business', '$chamber', '$comments')";

答案 2 :(得分:0)

首先,我想对你说这个小警告:你的脚本尖叫着“我打算接受SQL注射。”你完全没有保护。

始终至少使用addslashes ....

--- //你的脚本(已调整)// ----- 

    <?php

    if (isset($_POST['submitted'])) {
        include('dbconnect.php');

        $firstname = addslashes($_POST['firstname']);
        $lastname = addslashes($_POST['lastname']);
        $email = addslashes($_POST['email']);
        $weddingdate = addslashes($_POST['weddingdate']);
        $birthday = addslashes($_POST['birthday']);
        $business = addslashes($_POST['business']);
        $chamber = addslashes($_POST['chamber']);
        $comments = addslashes($_POST['comments']);

        $sqlinsert = "INSERT INTO contest (firstname, lastname, email, weddingdate,
 birthday, business, chamber, comments) VALUES 
('".$firstname."', '".$lastname."', '".$email."', '".$weddingdate."', 
                    '".$birthday."', '".$business."', '".$chamber."', '".$comments."')";


            if(mysqli_query($dbcon, $sqlinsert)){

                echo "Query &nbsp;done :-)<br>";
            } else {
                echo mysqli_error($dbcon) . "<hr>";
            }

        }

--- //你的脚本(已调整)// -----

您当然也可以使用mysqli_real_escape_string而不是使用addslashes:

<?php
$query = mysqli_real_escape_string($dbcon,$sqlinsert);

无论如何,如果您运行此脚本并遇到MySQL错误,则脚本将向您的屏幕发送错误消息。你可以从那里拿起它; - )

P.S。由于您在查询中定义字段的方式,您的脚本无法正常工作:您在字段名称中使用:business和'chamber'....

答案 3 :(得分:0)

感谢您的快速教育。这绝对是让我搞砸的Back-Ticks。我仍然是PHP方面的新手,并且感谢我对代码的额外帮助。我已经成功使用了这个脚本,并且正在调整我目前正在使用的其他PHP表单连接脚本,以便出于安全原因来匹配它。

相关问题
最新问题