Question

我无法看到这个问题，但它不会工作。

快速删除：在上一页填写的表单中，$ _POST [＆＃39;＆＃39;]被添加到$ _SESSION [＆＃39;＆＃39;]＆＃39; s，来自$ _SESSION [＆＃39;＆＃39;]的$ vars，用于mysqli_query的$ vars。

我确定这个问题正在盯着我，但我看不到它。

下面是代码:(更新）

if(isset($_POST['list_make']) && $_POST['list_make'] != '') { $list_make  = $_POST['list_make']; $_SESSION['list_make'] = $list_make; }
if(isset($_SESSION['list_make']) && $_SESSION['list_make'] != '') { $list_make = $_SESSION['list_make']; } else { $list_make = ''; }

$add_car_query = "INSERT INTO car_details 
    (car_user_id, car_user_number, car_date_added, car_make, car_model, car_date_registered, car_odometer, 
        car_engine_size, car_color, car_body_type, car_owners, car_nct_date, car_rax_date) 
    VALUES 
    ('$user_id_new', '$new_user_number', '$today', '$list_make', '$list_model', '$list_year', '$list_kilometers', 
        '$list_engine_size', '$list_color', '$list_body_type', '$list_previous_owners', '$list_nct', '$list_tax')
    ";
if(mysqli_query($con, $add_car_query)) { $added = 'added'; } else { $added = 'Not happening'; }

Answer 1

尝试检查else中是否存在MySQLi错误（如果查询失败将触发该错误）：

$add_car_query = "INSERT INTO car_details 
    (car_user_id, car_user_number, car_date_added, car_make, car_model, car_date_registered, car_odometer, 
        car_engine_size, car_color, car_body_type, car_owners, car_nct_date, car_rax_date) 
    VALUES 
    ('$user_id_new', '$new_user_number', '$today', '$list_make', '$list_model', '$list_year', '$list_kilometers', 
        '$list_engine_size', '$list_color', '$list_body_type', '$list_previous_owners', '$list_nct', '$list_tax')
    ";
if(mysqli_query($con, $add_car_query)) { 
  $added = 'added'; 
} 
else { 

  // check for the error here
  if(mysqli_error()) {
    echo mysqli_error();
  }

  $added = 'Not happening'; 
}

准备好的陈述

正如评论中的某些人所说，您应该使用prepared statements来提高安全性。这样您就不必担心转义输入了（看起来您现在没有转义值very dangerous）。

虽然问号占位符有点令人困惑（但不幸的是MySQLi不支持命名参数）。使用OOP MySQLi准备好的语句更好，但是你使用的是程序，所以这里是你如何在你的问题中为查询做一个准备好的语句：

$add_car_query = "INSERT INTO car_details 
    (car_user_id, 
     car_user_number, 
     car_date_added, 
     car_make, 
     car_model, 
     car_date_registered, 
     car_odometer, 
     car_engine_size, 
     car_color, 
     car_body_type, 
     car_owners, 
     car_nct_date, 
     car_rax_date) 
    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";

$stmt = mysqli_stmt_prepare($con, $add_car_query);

// if any of the values are an int, change the 
// corresponding 's' (which means string) to 'i' (integer).
// more info: http://us.php.net/manual/en/mysqli-stmt.bind-param.php

mysqli_stmt_bind_param($stmt, 'sssssssssssss', 
                       $user_id_new, 
                       $new_user_number, 
                       $today, 
                       $list_make, 
                       $list_model, 
                       $list_year, 
                       $list_kilometers, 
                       $list_engine_size, 
                       $list_color, 
                       $list_body_type, 
                       $list_previous_owners, 
                       $list_nct, 
                       $list_tax);
$stmt_exe = mysqli_stmt_execute($stmt);

if($stmt_exe) { 
   $added = 'added'; 
} 
else { 
   if(mysqli_error()) {
     echo mysqli_error();
   }
   $added = 'Not happening'; 
}

INSERT INTO不为我插入

1 个答案: