用户访问页面后,PHP页面会立即插入空白记录。为什么?

时间:2014-07-23 04:06:26

标签: php wordpress insert-query

我有这个基本的php插入脚本工作正常,它会在用户点击提交后完美插入表单。但是,出于某种原因,当用户在他们甚至点击提交之前访问该页面时,它也会提交记录。在顶部,它回应"进入成功"在用户做任何事之前。数据库中将有一个空白记录。为什么会这样?

作为一个额外的问题...我可以阻止sql注入购买只需添加一些mysql_escape代码到这个的各个部分?这是一个WordPress页面,所以甚至是必要的吗?

<?php
$user_ID = get_current_user_id();

$hostname = "******";
$username = "******";
$dbname = "******";
$password = "*****";

//Connecting to your database
mysql_connect($hostname, $username, $password) OR DIE ("Unable to 
connect to database! Please try again later.");
mysql_select_db($dbname);

// Get values from form 
$genre = $_POST['genre'];
$movie_name = $_POST['movie_name'];
$movie_text = $_POST['movie_text'];


$query = "INSERT INTO movies (ID, genre, movie_name, movie_text)  VALUES
('$user_ID','$genre','$story_name','$story_text')";
$result = mysql_query($query);

if($result)
{
echo("
Entry Succesful");
}
else
{
echo("
failed to start");
}

?>

Get started!
<br><br>
<form name="movie" action="" method="post">

What type of movie? <select name="genre">
<option value="">Select...</option>
<option value="Comedy">Comedy</option>
<option value="Drama">Drama</option>

</select>

Name of Movie: <input type="text" size="55" name="movie_name">

<textarea rows="30" cols="80" name="movie_text" rows="4"></textarea>

<input type="submit" name="submit" id="submit" value="Add movie" />
</form>

2 个答案:

答案 0 :(得分:1)

&#34;但是,出于某种原因,当用户在点击提交之前访问该页面时,它也会提交记录。&#34;

使用您的(命名)提交按钮作为参考,将代码包含在(if)isset()条件语句中:

<?php

    if(isset($_POST['submit'])){
    $user_ID = get_current_user_id();
    ...

else
{
echo("
failed to start");
}

    } // end brace for if(isset($_POST['submit']))
?>

Get started!
<br><br>
<form name="movie" action="" method="post">
<input type="submit" name="submit" id="submit" value="Add movie" />

...

</form>

就SQL注入而言,请访问:

在堆栈上

答案 1 :(得分:0)

您需要检查用户是否正在点击提交按钮,否则每次运行页面或请求页面时都会执行php脚本。您可以使用isset来检查。尝试以下代码

<?php
if(isset($_REQUEST['submit']))
{
    $user_ID = get_current_user_id();
    $hostname = "******";
    $username = "******";
    $dbname = "******";
    $password = "*****";
    //Connecting to your database
    mysql_connect($hostname, $username, $password) OR DIE ("Unable to 
    connect to database! Please try again later.");
    mysql_select_db($dbname);

    // Get values from form 
    $genre = $_POST['genre'];
    $movie_name = $_POST['movie_name'];
    $movie_text = $_POST['movie_text'];


    $query = "INSERT INTO movies (ID, genre, movie_name, movie_text)  VALUES
    ('$user_ID','$genre','$story_name','$story_text')";
    $result = mysql_query($query);

    if($result)
    {
    echo("
    Entry Succesful");
    }

}

否则         {         回声(”         未能启动”);         }     ?&GT; 

Get started!
<br><br>
<form name="movie" action="" method="post">

What type of movie? <select name="genre">
<option value="">Select...</option>
<option value="Comedy">Comedy</option>
<option value="Drama">Drama</option>

</select>

Name of Movie: <input type="text" size="55" name="movie_name">

<textarea rows="30" cols="80" name="movie_text" rows="4"></textarea>

<input type="submit" name="submit" id="submit" value="Add movie" />
</form>

希望这有帮助:)

相关问题
最新问题