我正在尝试创建一个动态页面并将其存储在MySQL数据库中。它很好地连接到数据库,但似乎在SQL语法中找不到我找不到的错误。我已经尝试重新格式化代码,无法指出它。 这是PHP:
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8">
<title></title>
</head>
<body>
<?php
$dbc = mysqli_connect('localhost', 'username', 'password', 'test_db')
or die("There was an error connecting to the database. Please try again later.");
$fullname = (string)$_POST['name'];
$guest_email = $_POST['email'];
$password = $_POST['password'];
echo "<h1>Thanks for your submission!</h1>";
echo "Your Name on File is: ". $fullname . '<br>';
echo "Your Email on File is: ". $guest_email . '<br>';
echo "Your Password on File is: ". $password . '<br>';
$add_query = "INSERT INTO test_form (full_name, email, user_pass) VALUES( $fullname, $guest_email, $password)";
$result = mysqli_query($dbc, $add_query)
or die("<strong>There was an error processing the form. Please call your IT support!</strong>". mysqli_error($dbc));
mysqli_close($dbc);
?>
</body>
</html>
这是HTML:
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8">
<title>Test Form</title>
</head>
<body>
<h1>Test Form</h1>
<form action="index.php" method="post">
<input type="text" placeholder="Name" name="name"/>
<input type="email" name="email" id="email" placeholder="Email"/>
<input type="password" name="password" id="password" placeholder="Enter a password"/>
<input type="submit" value="Submit"/>
</form>
</body>
</html>
答案 0 :(得分:1)
您需要在字符串
时引用您的值('$fullname', '$guest_email', '$password')
有关密码存储的重要说明:
我注意到您可能以纯文本格式存储密码。如果是这种情况,则非常气馁,如果在现场网站上使用,您将遭到入侵。
我建议您使用CRYPT_BLOWFISH或PHP 5.5的password_hash()功能。对于PHP&lt; 5.5使用password_hash() compatibility pack。
如果您确实使用其中一个,请确保该列足够长以容纳哈希值。
另外,关于您目前可以使用的SQL注入,use mysqli with prepared statements或PDO with prepared statements,,它们更安全。
答案 1 :(得分:0)
在$add_query中,您没有像以前那样正确地连接其他变量。这应该有效:
$add_query = "INSERT INTO test_form (full_name, email, user_pass) VALUES ( '" . $fullname . "' , '" . $guest_email . "' , '" . $password . "')";
答案 2 :(得分:0)
您应该意识到您的代码容易受到SQL注入的攻击,因此不能在现实世界中使用它[&p;环境,但仅用于测试!
要从一开始就阻止SQL注入,您可以使用文档中描述的准备语句:
我不熟悉mysqli驱动程序,并建议使用PDO,这是一种更通用的数据库连接方法。
但是,使用mysqli预处理语句的代码应如下所示:
<?php
$dbc = mysqli_connect('localhost', 'username', 'password', 'test_db')
or die("There was an error connecting to the database. Please try again later.");
$fullname = (string)$_POST['name'];
$guest_email = $_POST['email'];
$password = $_POST['password'];
echo "<h1>Thanks for your submission!</h1>";
echo "Your Name on File is: ". $fullname . '<br>';
echo "Your Email on File is: ". $guest_email . '<br>';
//echo "Your Password on File is: ". $password . '<br>'; // never ever print any password!
/* create prepared statement */
$stmt = mysqli_prepare($dbc, "INSERT INTO test_form (full_name, email, user_pass) VALUES(?, ?, ?)");
/* bind params to prepared statement */
mysqli_stmt_bind_param($stmt, 'sss', $fullname, $guest_email, $password);
/* execute prepared statement */
mysqli_stmt_execute($stmt);
/* close statement and connection */
mysqli_stmt_close($stmt);
/* close connection */
mysqli_close($dbc);
&GT;