我的网站上有一个工作表单,可以成功地将字段插入到MySQL数据库表中。我添加了一个新表,基本上复制了新表单的现有代码,并且收到错误。我已经调整了一堆并感到困惑。
以下是表格:
<form action="contact.php" method="post">
<input type="hidden" name="submitted" value="true" />
<fieldset>
<label>First Name: <input type="text" name="firstname" required="" /> </label><br />
<label>Last Name: <input type="text" name="lastname" required /> </label><br />
<label>Email Address: <input type="text" name="email" required /> </label><br />
<label>Anniversary Date: <input type="date" name="weddingdate" /> </label><br />
<label>Birthday: <input type="date" name="birthday" /> </label><br />
<label>Business Name: <input type="text" name="business" /> </label><br />
<label>Are You A Chamber Member?: <input type="radio" name="chamber" value="memyes">Yes <input type="radio" name="chamber" value="memno"> No<br />
<label>Comments: <input type="textarea" name="comments" rows="2" cols="50"> </label>
</fieldset>
<input type="submit" value="Enter Me In The Contest!" />
</form>
contact.php文件如下所示:
if (isset($_POST['submitted'])) {
include('dbconnect.php');
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$weddingdate = $_POST['weddingdate'];
$birthday = $_POST['birthday'];
$business = $_POST['business'];
$chamber = $_POST['chamber'];
$comments = $_POST['comments'];
$sqlinsert = "INSERT INTO contest (`firstname`, `lastname`, `email`, `weddingdate`, `birthday`,`business`, 'chamber', 'comments') VALUES ('$firstname', '$lastname', '$email', '$weddingdate', '$birthday', '$business', '$chamber', '$comments')";
if (!mysqli_query($dbcon, $sqlinsert)) {
die('Error adding to database');
}
header('Location: website omitted');
}
我知道它正确连接,我使用相同的连接脚本,并测试连接添加连接回显消息。
我使用此脚本获得的是“添加到数据库时出错”消息...
提前感谢您的建议和帮助!
答案 0 :(得分:1)
您的两个INSERT
列(chamber
和comments
)都有单引号而不是反引号。
(.......`weddingdate`, `birthday`,`business`, 'chamber', 'comments')
^ ^ ^ ^
您目前用于输入的方法不安全,因此已合并mysqli_real_escape_string()
函数。
$firstname = $_POST['firstname'];
(不推荐)
$firstname= mysqli_real_escape_string($dbcon, $_POST['firstname']);
(推荐)
NB:使用隐藏字段来检查它是否为isset
并不总是一个好主意 - 您可能会在没有检查空字段的情况下获取空数据,这是您的没做。
您可以指定提交按钮并使用(isset($_POST['submit']))
例如:
<input type="submit" name="submit" value="Enter Me In The Contest!" />
然而,这完全取决于你。
PHP
if (isset($_POST['submitted'])) {
include('dbconnect.php');
$firstname= mysqli_real_escape_string($dbcon, $_POST['firstname']);
$lastname= mysqli_real_escape_string($dbcon, $_POST['lastname']);
$email= mysqli_real_escape_string($dbcon, $_POST['email']);
$weddingdate= mysqli_real_escape_string($dbcon, $_POST['weddingdate']);
$birthday= mysqli_real_escape_string($dbcon, $_POST['birthday']);
$business= mysqli_real_escape_string($dbcon, $_POST['business']);
$chamber= mysqli_real_escape_string($dbcon, $_POST['chamber']);
$comments= mysqli_real_escape_string($dbcon, $_POST['comments']);
$sqlinsert = "INSERT INTO `contest` (`firstname`, `lastname`, `email`, `weddingdate`, `birthday`,`business`, `chamber`, `comments`) VALUES ('$firstname', '$lastname', '$email', '$weddingdate', '$birthday', '$business', '$chamber', '$comments')";
if (!mysqli_query($dbcon, $sqlinsert)) {
die('Error adding to database');
}
header('Location: website omitted');
}
答案 1 :(得分:0)
尝试删除列名称周围的引号,如下所示:
$sqlinsert = "INSERT INTO contest (firstname, lastname, email, weddingdate, birthday,business, chamber, comments) VALUES ('$firstname', '$lastname', '$email', '$weddingdate', '$birthday', '$business', '$chamber', '$comments')";
答案 2 :(得分:0)
首先,我想对你说这个小警告:你的脚本尖叫着“我打算接受SQL注射。”你完全没有保护。
始终至少使用addslashes ....
--- //你的脚本(已调整)// -----
<?php
if (isset($_POST['submitted'])) {
include('dbconnect.php');
$firstname = addslashes($_POST['firstname']);
$lastname = addslashes($_POST['lastname']);
$email = addslashes($_POST['email']);
$weddingdate = addslashes($_POST['weddingdate']);
$birthday = addslashes($_POST['birthday']);
$business = addslashes($_POST['business']);
$chamber = addslashes($_POST['chamber']);
$comments = addslashes($_POST['comments']);
$sqlinsert = "INSERT INTO contest (firstname, lastname, email, weddingdate,
birthday, business, chamber, comments) VALUES
('".$firstname."', '".$lastname."', '".$email."', '".$weddingdate."',
'".$birthday."', '".$business."', '".$chamber."', '".$comments."')";
if(mysqli_query($dbcon, $sqlinsert)){
echo "Query done :-)<br>";
} else {
echo mysqli_error($dbcon) . "<hr>";
}
}
--- //你的脚本(已调整)// -----
您当然也可以使用mysqli_real_escape_string而不是使用addslashes:
<?php
$query = mysqli_real_escape_string($dbcon,$sqlinsert);
无论如何,如果您运行此脚本并遇到MySQL错误,则脚本将向您的屏幕发送错误消息。你可以从那里拿起它; - )
P.S。由于您在查询中定义字段的方式,您的脚本无法正常工作:您在字段名称中使用:business
和'chamber'....
答案 3 :(得分:0)
感谢您的快速教育。这绝对是让我搞砸的Back-Ticks。我仍然是PHP方面的新手,并且感谢我对代码的额外帮助。我已经成功使用了这个脚本,并且正在调整我目前正在使用的其他PHP表单连接脚本,以便出于安全原因来匹配它。