Question

我的MySQL查询应插入从表单输入的数据。没有错误。我认为这段代码完全没有错。我之前使用过这段代码用于其他表，它可以正常工作。请忽略isset进行更新。这是其他的东西。 writerID，illustratorID和publisherName是来自不同表的外键。这可能是问题吗？

<?php

$servername = "localhost";
$username = "root";
$password = "";
$dbname = "graphicnoveldb";

$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

// get results from database

if(isset($_POST['update'])){
    $UpdateQuery = "Update graphicnovel Set
                    graphicNovelTitle='$_POST[graphicnoveltitle]',
                    genre='$_POST[genre]',
                    synopsis='$_POST[synopsis]',
                    review='$_POST[review]',
                    rating='$_POST[rating]',
                    writerID='$_POST[writerID]',
                    illustratorID='$_POST[illustratorID]',
                    coverPage='$_POST[coverpage]'
                    Where graphicNovelTitle='$_POST[hidden]'";
    mysqli_query($conn,$UpdateQuery);

};


if(isset($_POST['add'])){
    $AddQuery = "Insert into graphicnovel (graphicNovelTitle, genre, synopsis, review, rating, writerID, illustratorID, publisherName, datePublished, coverPage)
                Values('$_POST[ugraphicnoveltitle]',
                      '$_POST[ugenre]',
                      '$_POST[usynopsis]',
                      '$_POST[ureview]',
                      '$_POST[urating]',
                      '$_POST[uwriterID]',
                      '$_POST[uillustratorID]',
                      '$_POST[upublishername]',
                      '$_POST[udatepublished]',
                      '$_POST[ucoverpage]')";
    mysqli_query($conn,$AddQuery);

};



$sql="SELECT * FROM graphicnovel";

$result = mysqli_query($conn,$sql);



echo "<table>";



echo "<form action = ModifyGraphicNovel.php method =post>";

echo"<tr><th>New Graphic Novel Title</th>";
echo '<td><input type=text name= ugraphicnoveltitle></td></tr>';

echo"<tr><th>New Genre</th>";
echo '<td><input type=text name= ugenre></td></tr>';

echo"<tr><th>New Synopsis</th>";
echo '<td><textarea name= usynopsis  rows = 5 cols = 70 border =5 value=></textarea></tr>';

echo"<tr><th>New Review</th>";
echo '<td><textarea name= ureview  rows = 5 cols = 70 border =5 value=></textarea></tr>';

echo"<tr><th>New Rating</th>";
echo '<td><input type=text name= urating></td></tr>';

echo"<tr><th>New Writer ID</th>";
echo '<td><input type=text name= uwriterID></td></tr>';

echo"<tr><th>New Illustrator ID</th>";
echo '<td><input type=text name= uillustratorID></td></tr>';

echo"<tr><th>New Publisher Name</th>";
echo '<td><input type=text name= upublishername></td></tr>';

echo"<tr><th>New Date Published</th>";
echo '<td><input type=date name= udatepublished></td></tr>';

echo"<tr><th>New Coverpage</th>";
echo '<td><input type=text name= ucoverpage></td></tr>';



echo '<tr><td>' . "<input type = submit name=add value=add" . ' </td></tr>';

echo "</form>";
echo "</table>";
// close table>


$conn->close();
?>

Answer 1

如上所述，您必须在数组键周围使用引号，并且当它们位于带引号的字符串中时，也总是在数组周围使用花括号。
应该使用转义，甚至更好的绑定参数来阻止SQL注入。这也会使第一个问题变得更容易......

if(isset($_POST['add'])){

  $AddQuery = $conn->prepare("Insert into graphicnovel (graphicNovelTitle, 
             genre, synopsis, review, rating, writerID, illustratorID,
             publisherName, datePublished, coverPage) VALUES (?,?,?,?,?,?,?,?,?,?)");
  $addQuery->bind_param($_POST['ugraphicnoveltitle'],
                  $_POST['ugenre'],
                  $_POST['usynopsis'],
                  $_POST['ureview'],
                  $_POST['urating'],
                  $_POST['uwriterID'],
                  $_POST['uillustratorID'],
                  $_POST['upublishername'],
                  $_POST['udatepublished'],
                  $_POST['ucoverpage']);

  $addQuery->execute();

  printf("%d Row inserted.\n", $addQuery->affected_rows);
  $addQuery->close();


}

Mysql插入语句不在db中插入数据

1 个答案: