为生成的注册表单编码正确的查询

时间:2014-10-02 04:23:29

标签: php mysql

我正在做一个项目,其中注册表格取决于数据库字段,如下所示:

function generateForm() {

    $db = new mysqli('localhost', 'root', 'toor', 'hybrid_offline_reg');
    $query = $db->query('DESCRIBE `' . $_SESSION['tableName'] .'`');
    $fields = array();

    while($row = $query->fetch_assoc()) {
        $fields[] = $row['Field'];
        $types[] = $row['Type'];
    }

    echo "<form method='post' action='successpage.php' align='center'>
    <table align='center'>";

    foreach($fields as $key => $field) {
        $type = $types[$key];

        echo "<tr>";

        switch ($field) {
            case "FNAME":
                echo "<td>First Name</td><td>:</td>
                <td><input type='text' name='FNAME' size=30></td>";
                break;

            case "MNAME":
                echo "<td>Middle Name</td><td>:</td>
                <td><input type='text' name='MNAME' size=30></td>";
                break;

            case "LNAME":
                echo "<td>Last Name</td><td>:</td>
                <td><input type='text' name='LNAME' size=30></td>";
                break;

            echo "</tr>";
}

echo "</table><br>
    <input type='submit' name='submitForm' value=' Submit '>
    <input type='reset' name='resetForm' value=' Clear '>
    </form>";

successpage.php 上,这就是目前的情况:

session_start();
    $db = new mysqli('localhost', 'root', 'toor', 'hybrid_offline_reg');
    $query = $db->query('DESCRIBE `' . $_SESSION['tableName'] .'`');
    //$fields = array();

    $insert_sql = "INSERT INTO `" . $_SESSION['tableName'] . "`(";

    while($row = $query->fetch_assoc()) {
    $f = $row['Field'];

        switch ($f) {

            case "USER_ID":
            case "DATE_CREATED": break;

            default:
                $insert_sql .= "`$f`,";
                break;
        }
    }

    $insert_sql = substr_replace($insert_sql, "", -1);
    $insert_sql .= ") VALUES (";


    $query = $db->query('DESCRIBE `' . $_SESSION['tableName'] .'`');
    while($row = $query->fetch_assoc()) {
    $i = $row['Field'];

        switch ($i) {

            case "USER_ID":
            case "DATE_CREATED": break;

            default:
                $insert_sql .= '`$_POST["' . $i . '"]`,' ;
                break;
        }
    }

    $insert_sql = substr_replace($insert_sql, "", -1);
    $insert_sql .= ")";

    $res = mysql_query($insert_sql);
    echo "Successfully registered!";

但显然,$insert_sql .= '$_POST["' . $i . '"],' ;不正确,因为$_POST["' . $i . '"]不应该是字符串,因为我试图获取它的值。但我也试图从$_POST依赖$_POST的名称。

帮助,有人吗? D:提前谢谢你!

1 个答案:

答案 0 :(得分:1)

改变这个:

$insert_sql .= '`$_POST["' . $i . '"]`,' ;

对此:

$insert_sql .= '`'. mysqli_real_escape_string($db, $_POST[$i]) .'`,';

您已经知道如何在PHP中连接字符串,因为您正在该行中进行。你只需要将$_POST部分从字符串中取出来。

另外,请阅读SQL注入。您不应该从用户输入中获取原始数据并在查询中使用它而不先对其进行清理。因此,我添加了mysqli_real_escape_string()

还有一件事......最后,看起来你正在呼唤mysql_query()。认为你的意思是mysqli_query(),不是吗?或许$db->query()

相关问题
最新问题