$query = sprintf("INSERT INTO dat(empid,empname,reason,date)VALUES\n%s",
implode(",\n", $values) )
$query1= real_escape_string($query );
请帮我解释一下代码。我不能插入角色。
答案 0 :(得分:1)
首先,始终确保您的数据安全。
$emp_id_safe = filter_var($_POST['emp_id'], FILTER_SANITIZE_NUMBER_INT);
$emp_name_safe = filter_var($_POST['emp_name'], FILTER_SANITIZE_STRING);
$reason_safe = filter_var($_POST['reason'], FILTER_SANITIZE_STRING);
$end_date_safe = filter_var($_POST['to_date'], FILTER_SANITIZE_STRING);
其次,mysql PHP扩展名为deprecated,将来会被删除。将其替换为mysqli。
if ($emp_id_safe == FALSE || $emp_name_safe == FALSE ||
$reason_safe == FALSE || $end_date_safe == FALSE) {
die('Filter failure');
} else {
$stmt = $mysqli->prepare("INSERT INTO date(empid, empname, reason, date) VALUES (?, ?, ?, ?)");
$stmt->bind_param("ssss", $emp_id_safe, $emp_name_safe, $reason_safe, $end_date_safe);
$stmt->execute();
}