我正在开发网站,有趣的是我可以将数据插入除了我的一张桌子之外的所有表格。
PHP PART
function newproperty(){
global $link;
if(isset($_POST['sendprop']) && $_POST['agree'] == 'Yes'){
$name=mysqli_real_escape_string($link,$_POST['name']);
$owner=mysqli_real_escape_string($link,$_POST['owner']);
$tel=mysqli_real_escape_string($link,$_POST['tel']);
$email=$_SESSION['cust_user'];
$type=$_POST['type'];
$loc=$_POST['location'];
$address=mysqli_real_escape_string($link,$_POST['address']);
$bed=$_POST['bed'];
$price=$_POST['price'];
$descrip=mysqli_real_escape_string($link,$_POST['desc']);
$temp = explode(".", $_FILES["pic"]["name"]);
$thumb = round(microtime(true)) . '.' . end($temp);
move_uploaded_file($_FILES["pic"]["tmp_name"], 'assets/propthumb/'.$thumb);
$query="insert into property
(prop_name, prop_email, prop_owner,
prop_tel, prop_type, prop_location,
prop_bed, prop_price, prop_thumb,
prop_desc, prop_address)
values
('$name','$email','$owner',
'$tel','$type','$loc',
'$bed','$price','$thumb',
'$descrip','$address')";
$run=mysqli_query($link,$query);
if($run){
echo"<script>alert('Property has been inserted successfully');</script>";
echo"<script>window.open('list.php','_self');</script>";
}
}
}
HTML PART
<form action="submit.php" method="post" enctype="multipart/form-data">
<div class="container bgsearch shadow">
<div class="container-fluid ">
<br>
<div class="row">
<div class="col-lg-10 col-lg-offset-1">
<img src="assets/images/hero1.png" class=" img-responsive">
</div>
</div>
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h3 class="wtxt text-center">Submit Property</h3>
<br>
<hr id="hr">
</div>
</div>
<div class="row">
<div class="col-lg-6 col-lg-offset-3">
<a href="list.php" class="form-control btn btn-success btn-block">List of my properties</a>
<br>
</div>
</div>
<div class="row">
<div class="col-lg-2"></div>
<div class="col-lg-4">
<input type="text" class="form-control btn-block" name="name" placeholder="Property Name">
<input type="text" class="form-control btn-block" name="owner" placeholder="Owner Name">
<input type="tel" class="form-control btn-block" name="tel" placeholder="Owner Telephone Number">
<select class=" btn-block form-control" name="type" required>
<option value='...'>...</option>
</select>
<select class=" btn-block form-control" name="location" required>
<option value='...'>...</option>
.
</select>
<input type="text" class="form-control btn-block" name="address" placeholder="Address">
<input type="number" name="bed" class=" btn-block form-control" placeholder="Bedroom" min="0">
</div>
<div class="col-lg-4">
<input type="number" name="price" class=" btn-block form-control" placeholder="Price (TL)" step="25" min="200">
<lable class="wtxt"><h5><b>Property Thumbnail Image</b></h5></lable>
<input type="file" class="form-control btn-block" name="pic" accept="image/*">
<textarea class="form-control btn-block" name="desc" rows="6" required></textarea>
<div class="checkbox">
<label>
<input type="checkbox" name="agree" value="Yes"> Agree With Terms & Conditions
</label>
</div>
</div>
<div class="col-lg-2"></div>
</div>
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<input type="submit" class="form-control btn btn-warning btn-block" name="sendprop" value="Submit">
</div>
</div>
<br><br>
</div>
</div>
</form>
<?php newproperty(); ?>
我尝试过但仍然无效的是: 1.下桌并制作新桌子 2.更改我的表名称 3.将insert插入...值以插入.. set ... 4. ....
请尽快帮助我。
答案 0 :(得分:0)
处理错误情况,例如
if($run){
// whatever
} else {
echo "<script>alert('SQL error: "
. htmlspecialchars(mysqli_error($link))
. "');</script>"
}
至于找出该语句为什么不起作用,为了调试,发出SQL文本并在另一个客户端中测试它。
您在某些值上调用了mysqli_real_escape_string函数,但在其他值上没有调用INSERT函数。因此,您的SQL {{1}}语句仍然容易受到SQL注入攻击。
更好的模式是使用准备好的声明和绑定占位符。它真的不那么难。