表单中的数据没有保存到数据库中,但是正在添加一行,我正在使用Go Daddy进行托管。它完全适用于我的当地,但现在似乎没有工作。请在下面找到我正在使用的代码:
<?php
if($_SERVER["REQUEST_METHOD"]=="POST")
{
$fName = mysql_real_escape_string($_POST['fName']);
$surname = mysql_real_escape_string($_POST['surname']);
$postcode = mysql_real_escape_string($_POST['postcode']);
$tel = mysql_real_escape_string($_POST['tel']);
$mobile = mysql_real_escape_string($_POST['mobile']);
$email = mysql_real_escape_string($_POST['email']);
$bool = true;
$con = mysql_connect("localhost","username","password");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("db name", $con);
$sql="INSERT INTO customer (custNo, fName, surname, postcode, tel, mobile, email, timestamp)
VALUES (NULL, '$fName','$surname','$postcode', '$tel', '$mobile', '$email', 'CURRENT_TIMESTAMP')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
} else{
echo "Successfully Registered ";
}
}
mysql_close($con)
?>
这是html表单
<form action="insert.php" method = "post">
<fieldset>
<legend>Register</legend>
<div class="col-md-4">
<label for='fName'>Enter name:</label>
<input type= "text" name = "fName" required="required" maxlength="50"/> <br/>
</div>
<div class="col-md-4">
<label for='surname'>Enter surname:</label>
<input type= "text" name="surname" maxlength="50" required="required"/> <br/>
</div>
<div class="col-md-4">
<label for='postcode'>Enter postcode:</label>
<input type= "text" name="postcode" maxlength="7"/> <br/>
</div>
<div class="col-md-4">
<label for='tel'>Enter home no:</label>
<input type= "text" name="tel" maxlength="50" /> <br/>
</div>
<div class="col-md-4">
<label for='mobile'>Enter mobile no:</label>
<input type= "text" name="mobile" maxlength="50"/> <br/>
</div>
<div class="col-md-4">
<label for='email'>Enter email * </label>
<input type= "text" name="email" required="required"/> <br/></br>
</div>
<input type="submit" value="Register"/>
</fieldset>
</form>
答案 0 :(得分:2)
首先:
警告
自PHP 5.5.0起,此扩展程序已弃用,将来将被删除。相反,应该使用MySQLi或PDO_MySQL扩展。
如果您没有查看$ _POST [&#39;密码&#39;],它可能是用户想要的任何内容!例如:
$_POST['username'] = 'aidan';
$_POST['password'] = "' OR ''='";
// Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'";
mysql_query($query);
这意味着发送给MySQL的查询将是:
SELECT * FROM users WHERE user =&#39; aidan&#39;和密码=&#39;&#39;或&#39;&#39; =&#39;&#39;
这样任何人都可以在没有有效密码的情况下登录。
由于这个事实,所有变量都是空的......
在使用mysql_real_escape_string()之前需要MySQL连接 否则会生成E_WARNING级别的错误,FALSE为 返回。
在连接后输入 mysql_real_escape_string()。
$con = mysql_connect("localhost","username","password");
if (!$con) { ...}
mysql_select_db("db name", $con);
//-------------- next after connect not before !!! --------
$fName = mysql_real_escape_string($_POST['fName']);
[...]
$email = mysql_real_escape_string($_POST['email']);
$bool = true;
$sql="INSERT INTO customer (...) VALUES (...)";
答案 1 :(得分:1)
这可能是由于varibales。
尝试将$ sql行更改为此
pe<.?ter -----> should return false
ale8 ---------> should return false
?ramon -------> should return false
tho<>?mass----> should return false
peter -----> should return true
alex ------> should return true
ramon -----> should return true
thomas ----> should return true