提交post echo但不在数据库中写入信息

时间:2015-03-27 19:48:04

标签: php database forms mysqli

我在更新数据库中的信息时遇到问题。 echo弹出成功但数据库行保持空白 - 为什么? PHP代码:

<?php

    if (isset($_POST['gender'])) {
        // Sanitize and validate the data passed in
        $gender = filter_input(INPUT_POST, 'gender', FILTER_SANITIZE_STRING);
        if ($stmt) {
            $stmt->bind_param('s', $gender);
            $stmt->execute();
            $stmt->store_result();

            if ($insert_stmt = $mysqli->prepare("INSERT INTO  members gender VALUE ?")) {
                $insert_stmt->bind_param('s', $gender);
            }
        }
        echo "<div class='notemarg'> Your gender has been submitted</div>";
    } 
?>

并输入表单:

<form action="" method="POST">
  <input type="radio" name="gender" value="male"> Male <br>
  <input type="radio" name="gender" value="female"> Female <br>
  <input type="submit" name="gender" value="Set gender" class="button">
</form>

我想使用mysqli->prepare来阻止SQL注入。

我用替代方法修复了它,其中有按钮预先定义的输入。

<?php

    $servername = "";
    $username = "";
    $password = "";
    $dbname = "";

    // Create connection
    $conn = new mysqli($servername, $username, $password, $dbname);
    // Check connection
    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    }
     if (isset($_POST['Female'])) {

     $gender = $_POST['Female'];
     $sql = "UPDATE members SET gender = '$gender' WHERE username = '".$_SESSION['username']."'"; 


    if ($conn->query($sql) === TRUE) {
        echo "<div class='notemarg'> Your gender has been submitted</div>";
    } else {
        echo "Error: " . $sql . "<br>" . $conn->error;
    }
    $conn->close();
}
    ?>

简单的形式:

<form action="" method="POST">
 <input type="submit" name="Female" value="Female" class="button">
</form>

感谢所有想要帮助我的人,特别是对于anant kumar singh。没有他的建议,我无法得到那个改变主意。谢谢!

更新#1

它只是弹出了回声&#34;错误&#34; 

<?php

if(isset($_POST['Female'])){

    $servername = "";
    $username = "";
    $password = "";
    $dbname = "";

    // Create connection
    $conn = new mysqli($servername, $username, $password, $dbname);
    // Check connection
    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    }
     if (isset($_POST['Female'])) {

     $gender = $_POST['Female'];
     $stmt = $conn->prepare('UPDATE members
     SET gender = ?
     WHERE username = ?'); 
$stmt->bind_param('s', $_POST['Female']);
 $stmt->bind_param('s', $_SESSION['username']);

    if ($conn->prepare === TRUE) {
        echo "<font color='#00CC00'>Your gender has been updated.</font><p>";
    } else {
        echo "Error: " . $conn->prepare . "<br>" . $conn->error;
    }
    $conn->close();
}
}
?>

不知道问题出在哪里...... 更新#2 

if(isset($_POST['Female'])){

    $servername = "";
    $username = "";
    $password = "";
    $dbname = "";

  // Create connection
    $conn = new mysqli($servername, $username, $password, $dbname);
    // Check connection
    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    }
     if (isset($_POST['Female'])) {

     $gender = $_POST['Female'];
     $sql = "
     UPDATE members
     SET gender = ?
     WHERE username = ?
 ";
 $stmt = $mysqli->prepare($sql);
 $stmt->bind_param('s', $_POST['Female']);
 $stmt->bind_param('s', $_SESSION['username']);
 $stmt->execute();

    if ($mysqli->prepare($sql) === TRUE) {
        echo "<font color='#00CC00'>Your gender has been updated.</font><p>";
    } else {
        echo "Error: " . $conn->prepare . "<br>" . $conn->error;
    }
    $conn->close();
}
}

更新#3

我在代码中添加了一些注释,所以

     <?php
    // I had here twice the ifisset here and
        if(isset($_POST['Female'])){

        $servername = "";
        $username = "";
        $password = "";
        $dbname = "";

       // Create connection
        $conn = new mysqli($servername, $username, $password, $dbname);
        // Check connection
        if ($conn->connect_error) {
            die("Connection failed: " . $conn->connect_error);
        }
    //here the second one so I deleted that ifisset here...
         $gender = $_POST['Female'];
         $sql = "
         UPDATE members
         SET gender = ?
         WHERE username = ?
     ";
     $stmt = $mysqli->prepare($sql);
     $stmt->bind_param('s', $_POST['Female']);
     $stmt->bind_param('s', $_SESSION['username']);
     $ok = $stmt->execute();

        if ($ok == TRUE) {
            echo "<font color='#00CC00'>Your gender has been updated.</font><p>";
        } else {
            echo "Error: " .$stmt->error; // This is the line that shows the error
        }
        $conn->close();
    }
?>

我不确定是什么问题...它会在echo上弹出错误&#34;没有为预备语句中的参数提供数据&#34;

1 个答案:

答案 0 :(得分:1)

在发布一个带有巨大安全漏洞的答案之后,值得花些时间来解决这个问题。 是一种修复它的方法,因此您可以使用字符串连接方法,但它通常不如参数化。

您需要做的就是获取您的工作查询,并将其转换为参数化形式。像这样:

 // Expects valid $mysqli object here
 $sql = "
     UPDATE members
     SET gender = ?
     WHERE username = ?
 ";
 $stmt = $mysqli->prepare($sql);

 // ** As we discovered, the binding needs to happen in one
 // ** call, not across several
 $stmt->bind_param('ss', $_POST['Female'], $_SESSION['username']);
 $stmt->execute();

查看原始代码,似乎存在两个问题:语句根本没有准备好(因此程序应该退出并发生致命错误)并且原始SQL语句中存在语法错误。

在新代码中,您错过了execute()来电。

相关问题
最新问题