<?php
if (isset($_GET['submit'])) {
$item_code = mysqli_real_escape_string($conn, $_GET['item_code']);
$item_name = mysqli_real_escape_string($conn, $_GET['item_name']);
$supplier = mysqli_real_escape_string($conn, $_GET['supplier_name']);
$brand = mysqli_real_escape_string($conn, $_GET['brand_name']);
$quantity = mysqli_real_escape_string($conn, $_GET['quantity']);
$unit = mysqli_real_escape_string($conn, $_GET['unit_name']);
$price = mysqli_real_escape_string($conn, $_GET['price']);
$item_type = mysqli_real_escape_string($conn, $_GET['type_name']);
$category = mysqli_real_escape_string($conn, $_GET['cat_name']);
if ($item_code == '' || $item_name == '' || $supplier == '' || $brand == '' ||
$quantity == '' ||
$unit == '' ||
$price == '' ||
$item_type == '' ||
$category == ''
) {
header("Location: item.php?attempt=empty");
} else {
$sql = mysqli_query($conn, "INSERT INTO itemlist (item_name,supplier_name,brand_name,quantity,unit_name,price,type_name,cat_name) values('$item_name','$supplier','$brand','$quantity','$unit','$price','$item_type','$category')")
or die("Could not execute the insert query.");
header("Location: item.php?attempt=saved");
}
}
?>
答案 0 :(得分:2)
我只是注意到了一些事情:
GET方法来传递数据而不是POST?empty()代替== '' $_GET['item_code']的目的是什么?您没有在插入中使用它,但它处于if()状态。假设您已将表单从GET更改为POST方法:
if (isset($_POST['submit'])) {
if(empty($_POST['item_code']) || empty($_POST['item_name']) || empty($_POST['supplier_name']) || empty($_POST['brand_name']) || empty($_POST['quantity']) || empty($_POST['unit_name']) || empty($_POST['price']) || empty($_POST['type_name']) || empty($_POST['cat_name'])){
header("Location: item.php?attempt=empty");
} else {
$stmt = $conn->prepare("INSERT INTO itemlist (item_code, item_name, supplier_name, brand_name, quantity, unit_name, price, type_name, cat_name) VALUES (?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("sssssssss", $_POST['item_code'], $_POST['item_name'], $_POST['supplier_name'], $_POST['brand_name'], $_POST['quantity'], $_POST['unit_name'], $_POST['price'], $_POST['type_name'], $_POST['cat_name']);
$stmt->execute();
$stmt->close();
header("Location: item.php?attempt=saved");
}
}
请记住,一个空数据将进入if()条件并执行header("Location: item.php?attempt=empty");。
答案 1 :(得分:1)
1)在插入查询中添加item_code。
<?php
if (isset($_GET['submit'])) {
$item_code = mysqli_real_escape_string($conn, $_GET['item_code']);
$item_name = mysqli_real_escape_string($conn, $_GET['item_name']);
$supplier = mysqli_real_escape_string($conn, $_GET['supplier_name']);
$brand = mysqli_real_escape_string($conn, $_GET['brand_name']);
$quantity = mysqli_real_escape_string($conn, $_GET['quantity']);
$unit = mysqli_real_escape_string($conn, $_GET['unit_name']);
$price = mysqli_real_escape_string($conn, $_GET['price']);
$item_type = mysqli_real_escape_string($conn, $_GET['type_name']);
$category = mysqli_real_escape_string($conn, $_GET['cat_name']);
if ($item_code == '' || $item_name == '' || $supplier == '' || $brand == '' ||
$quantity == '' ||
$unit == '' ||
$price == '' ||
$item_type == '' ||
$category == ''
) {
header("Location: item.php?attempt=empty");
} else {
$sql = mysqli_query($conn, "INSERT INTO itemlist (item_code,item_name,supplier_name,brand_name,quantity,unit_name,price,type_name,cat_name) values('$item_code','$item_name','$supplier','$brand','$quantity','$unit','$price','$item_type','$category')")
or die("Could not execute the insert query.");
header("Location: item.php?attempt=saved");
}
}
?>
2)另一种解决方法是将item_code定义为 primary key 。
3)其他方法是使用任何默认值(如0)定义item_code。
答案 2 :(得分:0)
您可以尝试此解决方案:
function escape($col, $conn) {
return mysqli_real_escape_string($conn, $_GET[$col]);
}
function insert($tbl, $dataArray) {
foreach ($dataArray as $k => $v) {
$keys .= $k . ", ";
$values .= "'" . $this->real_escape_string($v) . "', ";
}
$keys = substr($keys, 0, strlen($keys) - 2);
$values = substr($values, 0, strlen($values) - 2);
$sql = "INSERT INTO " . $tbl . "(" . $keys . ") VALUES(" . $values . ")";
$exeq = mysqli_query($sql);
return $exeq;
}
$fields = array("item_code", "item_name", "supplier_name", "brand_name", "quantity", "unit_name", "price", "type_name", "cat_name");
if (isset($_GET['submit'])) {
$item_code = escape('item_code', $conn);
$item_name = escape('item_name', $conn);
$supplier = escape('supplier_name', $conn);
$brand = escape('brand_name', $conn);
$quantity = escape('quantity', $conn);
$unit = escape('unit_name', $conn);
$price = escape('price', $conn);
$item_type = escape('type_name', $conn);
$category = escape('cat_name', $conn);
foreach ($fields as $field) {
if (!$_GET[$field]) {
header("Location: item.php?attempt=empty");
}
}
$dataInsert = array(
'item_code' => $item_code,
'item_name' => $item_name,
'supplier_name' => $supplier,
'brand_name' => $brand,
'quantity' => $quantity,
'unit_name' => $unit,
'price' => $price,
'type_name' => $item_type,
'cat_name' => $category
);
if ( insert("itemlist", $dataInsert) ) {
header("Location: item.php?attempt=saved");
} else {
echo "Could not execute the insert query.";
exit();
}
}