所以我正在尝试在我的数据库中插入值,它在寄存器中工作,我复制并粘贴相同的代码但是当我更改值时它不会插入虽然var dump给了我值,但查询仍在继续我是假的;
<form class="form-horizontal" action="" method="POST">
<fieldset>
<legend>Account Register</legend>
<div class="form-group">
<label for="PID" class="col-lg-2 control-label">Product ID</label>
<div class="col-lg-10">
<input class="form-control" id="iPID" name="inputpid" placeholder="Product ID" type="text" required>
</div>
</div>
<div class="form-group">
<label for="Pname" class="col-lg-2 control-label">Product Name</label>
<div class="col-lg-10">
<input class="form-control" id="iPname" name="inputpname" placeholder="Product Name" type="text" required>
</div>
</div>
<div class="form-group">
<label for="Pprice" class="col-lg-2 control-label">Product Price</label>
<div class="col-lg-10">
<input class="form-control" id="iPprice" name="inputpprice" placeholder="Product Price" type="text" required>
</div>
</div>
<div class="form-group">
<div class="col-lg-10 col-lg-offset-2">
<button type="reset" class="btn btn-default">Cancel</button>
<button type="submit" class="btn btn-primary">Submit</button>
</div>
</div>
这是这个表单下面的php代码;我已经在代码的顶部有ob_start和session_start;
<?php
include("config.php");
$ppid=$_POST['inputpid'];
$pname=$_POST['inputpname'];
$pprice=$_POST['inputpprice'];
$product_query=mysqli_query($con,"INSERT INTO tblproducts(p_pid, p_name, p_price) VALUES('$ppid', '$pname', $pprice')");
var_dump($ppid);
var_dump($pname);
var_dump($pprice);
var_dump($product_query);
?>
我不知道我在这个中缺少什么,希望有人可以帮助我。提前谢谢!
答案 0 :(得分:3)
<强>更新强>
回应@ tadman对此答案的评论,这是使用参数化查询插入记录的正确方法。我使用过程函数而不是面向对象的样式来保持格式类似于问题中的代码。
<?php
include("config.php");
$filtered = filter_input_array(INPUT_POST, FILTER_SANITIZE_SPECIAL_CHARS);
$stmt = mysqli_prepare($con, 'INSERT INTO tblproducts(p_pid, p_name, p_price) VALUES(?, ?, ?)');
mysqli_stmt_bind_param($stmt, 'sss', $filtered['inputpid'], $filtered['inputpname'], $filtered['inputpprice']); // 's' for string, 'i' for integer, 'd' for double, 'b' for blob
$product_query = mysqli_stmt_execute($stmt);
var_dump($filtered['inputpid']);
var_dump($filtered['inputpname']);
var_dump($filtered['inputpprice']);
var_dump($product_query);
?>
对于那些对面向对象方法感兴趣的人做同样的事情:
<?php
include('config.php');
$filtered = filter_input_array(INPUT_POST, FILTER_SANITIZE_SPECIAL_CHARS);
$stmt = $con->prepare('INSERT INTO tblproducts(p_pid, p_name, p_price) VALUES(?, ?, ?)');
$stmt->bind_param('sss', $filtered['inputpid'], $filtered['inputpname'], $filtered['inputpprice']);
$product_query = $stmt->execute();
var_dump($filtered, $product_query);
?>
<强>上强>
我同意上面的一些评论,你很容易使用你发布的代码注入SQL。下面的代码将纠正您在原始查询中的语法错误,它还将清理输入并安全地将其转义以插入数据库表中。
<?php
include("config.php");
$filtered = filter_input_array(INPUT_POST, FILTER_SANITIZE_SPECIAL_CHARS);
$ppid = mysqli_real_escape_string($con, $filtered['inputpid']);
$pname = mysqli_real_escape_string($con, $filtered['inputpname']);
$pprice = mysqli_real_escape_string($con, $filtered['inputpprice']);
$product_query = mysqli_query($con, "INSERT INTO tblproducts(p_pid, p_name, p_price) VALUES($ppid, $pname, $pprice)");
var_dump($ppid);
var_dump($pname);
var_dump($pprice);
var_dump($product_query);
?>
答案 1 :(得分:2)
$sql1 = mysql_query("SELECT * FROM posts WHERE 1");
while($row1=mysql_fetch_array($sql1))
{
$post_id=$row1['post_id'];
$user = $row1['user_id'];
$sql11 = mysql_query("SELECT * FROM user WHERE user_id=$user");
while($row11=mysql_fetch_array($sql11))
{
$username=$row11['user_name'];
}
echo("..post BY ". $username ."<br>");
$sql2 = mysql_query("SELECT * FROM comments WHERE post_id=$post_id");
while($row2=mysql_fetch_array($sql2))
{
$comment_id=$row2['comment_id'];
$comment_user=$row2['user_id'];
$sql21 = mysql_query("SELECT * FROM user WHERE user_id=$comment_user");
while($row21=mysql_fetch_array($sql21))
{
$com_username=$row21['user_name'];
}
echo("......comment BY " . $com_username . "<br>");
$sql3 = mysql_query("SELECT * FROM replies WHERE comment_id=$comment_id");
while($row3=mysql_fetch_array($sql3))
{
$rep_user=$row3['user_id'];
$sql31 = mysql_query("SELECT * FROM user WHERE user_id=$rep_user");
while($row31=mysql_fetch_array($sql31))
{
$rep_username=$row31['user_name'];
}
echo("...........Reply BY ". $rep_username . "<br>");
}
}
}
请在单点中加上$ pprice