由于我是新手,我想问一下这个问题。插入查询似乎无法正常工作,但没有出现错误消息。 这是代码:
<?php
include "../../inc/inc.koneksi.php";
$table = "admins";
$user = str_replace("'","\'",$_POST['user']);
$pwd = md5($_POST['pwd1']);
$nama = str_replace("'","\'",$_POST['nama']);
$level = $_POST['level'];
$blokir = $_POST['blokir'];
$sql = mysql_query("SELECT username, password, nama_lengkap, level, blokir
FROM $table
WHERE username= '$user'");
$row = mysql_num_rows($sql);
if ($row > 0){
$input = "UPDATE $table SET password ='$pwd',
nama_lengkap ='$nama',
level ='$level',
blokir ='$blokir',
lastupdate = now()
WHERE username= '$user'";
// if(!mysql_query($input));
if ( mysql_query($input) ) {
echo "Record updated successfully.";
} else {
echo "Something went wrong with the query.";
}
} else {
$input = "INSERT INTO $table (username, password, nama_lengkap, level, blokir, create)
VALUES ('".$user."', '".$pwd."', '".$nama."', '".$level."', '".$blokir."', now() )";
//if (!mysql_query($input));
if ( mysql_query($input) ) {
echo "New record created successfully.";
} else {
echo "Something went wrong with the query.";
}
}
echo "<br>".$input."<br/>";
?>
真的需要你的帮助:))
答案 0 :(得分:1)
你真的应该考虑使用prepared statements/parameterized SQL而不是以这种方式一起学习你的SQL。
SQL注入确实是一个严重的安全问题,你有这种结构化的方式。
当它只是一个字符串常量时,为什么要将表名连接到SQL?
编辑:我在上面的超链接中引用了以下简短的片段(我的一个回复)。我发现这种模式比串联SQL更容易阅读(顺便说一句, so 1991 Visual Basic)。如果准备好的语句经常被使用,你也可以缓存它。
$stmt = $dbh->prepare("SELECT * FROM users WHERE USERNAME = ? AND PASSWORD = ?");
$stmt->execute(array($username, $password));
我个人也是使用数据库存储过程的忠实粉丝,但是为了空间和时间的利益,我不会进入这个过程。在我们处理的上下文中存储过程的一个好处是它们很容易完全独立于PHP代码进行测试。然后,当你从PHP调用时,你只需要传递正确的参数,一切都会像你在测试中那样工作。
答案 1 :(得分:1)
mysql_query,不应将其用于新代码。使用PDO进行数据库访问,并从数据库连接/语句处理程序中获取错误消息。
下面的示例显示了如何设置PDO,如何执行预准备语句以及如何存在错误消息。请注意,我们没有将值连接成字符串,我们将它们作为命名参数传递。当你这样做时,PDO将负责消毒和逃逸。我还删除了表名的变量 - 只需在查询中输入它。
// This is how to establish a PDO connection
$host="[replace me]"; // Host name
$username="[replace me]"; // username
$password="[replace me]"; // password
$db_name="[replace me]"; // Database name
/*
you do this once, then pass $pdo into class constructors or as a function argument
when db access is needed
do not use the global keyword. don't do it.
*/
$pdo = new PDO('mysql:host='.$host.';dbname='.$db_name, $username, $password);
/*
before you do your query, you should validate the input. Make sure all the
fields exist, and have valid data. You should not assume they're there and valid,
even if you validated the form with javascript. This is one of many ways to do it.
*/
$errors = array();
foreach (
array(
'username',
'pwd1',
'nama',
'level',
'blokir'
) as $field
){
if (
array_key_exists($field, $_POST) === false ||
strlen(trim($_POST[$field])) < 1
){
$errors[] = 'Missing required field: '.$field;
}
}
// only do the query if you have all the values!
$result = false;
if (count($errors) === 0) {
// make a prepared statement
$pdoStatement= $pdo->prepare('
INSERT INTO admins (
username,
password,
nama_lengkap,
level,
blokir,
create
) VALUES (
:username,
:password,
:nama_lengkap,
:level,
:blokir,
NOW()
)
');
$result = $pdoStatement->execute(array(
'username'=>$_POST['user'],
'password'=>$_POST['pwd1'],
'nama_lengkap'=>$_POST['nama'],
'level'=>$_POST['level'],
'blokir'=>$_POST['blokir']
));
if (!$result) $errors = $pdoStatement->errorInfo();
}
if (!$result){
// do something better with the error messages!
echo 'There were errors: <ul><li>'.implode('</li><li>', $errors).'</li></ul>';
}
<强>文档
PDO - http://php.net/manual/en/book.pdo.php PDO::prepare - http://php.net/manual/en/pdo.prepare.php PDOStatement - http://php.net/manual/en/class.pdostatement.php PDOStatement::execute - http://php.net/manual/en/pdostatement.execute.php PDOStatement::errorInfo - http://php.net/manual/en/pdostatement.errorinfo.php