选择值未插入数据库

时间:2016-06-25 15:12:05

标签: php mysqli

我有管理员将条目插入数据库,其他值正确插入数据库但选择的值不插入。首先是管理员,他的会话开始后,他将新条目添加到数据库。 请帮忙。

我的html表单是

<form method="post" action="" enctype="multipart/form-data" role="form">

    <div class="col-md-4 form-group">
        <label for="SubjectMaterialTitle">Subject Material Title</label>
        <input type="text" name="sub_title" placeholder="Subject Material Title" class="form-control" required>
    </div>

    <div class="col-md-4 form-group">
        <label for="Downloadurllink">Download url link</label>
        <input type="text" name="sub_url" placeholder="Download url link" class="form-control" required>
    </div>                                      

    <div class="col-md-4 form-group">
        <label for="exampleInputFile">File input</label>
        <input type="file" name="sub_file" id="exampleInputFile" required>
        <p class="help-block">Upload Image/File upto 2MB size only</p>
    </div>

    <div class="col-md-4 form-group">
        <label for="WritenBy">Writen By</label>
        <select class="form-control" name="writen_by">
            <?php if(isset($_SESSION['admin_email'])){ 
                        echo '<option value='. $_SESSION['admin_username'] .'>'. $_SESSION['admin_username'] .'</option> '; 
                  }
            ?>
        </select>
    </div>

</form>

PHP代码

<?php

include("includes/config.php");
global $con;
    if(isset($_POST['add_submat'])){

        //getting the text data from the fields
        $sub_title = $_POST['sub_title'];
        $sub_url = $_POST['sub_url'];
        $writen_by = $_POST['writen_by'];

        //getting image from the fields
        $sub_file = $_FILES['sub_file']['name'];
        $sub_file_tmp = $_FILES['sub_file']['tmp_name'];

        move_uploaded_file($sub_file_tmp,"sub-material-files/$sub_file");

        //insert data into table
        $insert_submat = "insert into m_study_material (sm_title,sm_downloadurl,sm_image,created_by) values ('$sub_title','$sub_url','$sub_file','$writen_by')";

        echo $insert_submat;

        $run_submat = mysqli_query($con, $insert_submat);

        //error_reporting(E_ERROR);

        if($run_submat){
            echo "<script>alert('Inserted Successfully.')</script>";
        } else{
            echo "Not inserted";
        }
    }
?>

2 个答案:

答案 0 :(得分:0)

您忘记添加引号arround值,这就是为什么值正在正确发布。

  <?php 
  if(isset($_SESSION['admin_email'])){ 
      echo '<option value="'. $_SESSION['admin_username'] .'">'. $_SESSION['admin_username'] .'</option> '; 
  } 
  ?>

答案 1 :(得分:0)

首先修复

<div class="col-md-4 form-group">
    <label for="WritenBy">Writen By</label>
    <select class="form-control" name="writen_by">
        <?php if(isset($_SESSION['admin_email'])): ?>
            <option>
                <?= $_SESSION['admin_username']; ?>
            </option>
        <?php endif; ?>
    </select>
</div>

其次,您应该考虑在插入之前清理用户输入,因为您的代码目前对Injection attack广泛开放。 See more about SQL Injection in PHP

例如,您可以使用辅助功能,例如

function cleanInput($input)
{
    $search = array(
        '@<script[^>]*?>.*?</script>@si',   // Strip out javascript
        '@<[\/\!]*?[^<>]*?>@si',            // Strip out HTML tags
        '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly
        '@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
    );
    $output = preg_replace($search, '', $input);
    return $output;
}
function prepare($input)
{
    if (get_magic_quotes_gpc())
    {
        $input = stripslashes($input);
    }
    $input  = cleanInput($input);
    return mysql_real_escape_string($input);
}

这样你就可以在任何sql查询之前执行此操作

$sub_title = prepare($_POST['sub_title']);
$sub_url = prepare($_POST['sub_url']);
$writen_by = prepare($_POST['writen_by']);