我有管理员将条目插入数据库,其他值正确插入数据库但选择的值不插入。首先是管理员,他的会话开始后,他将新条目添加到数据库。 请帮忙。
我的html表单是
<form method="post" action="" enctype="multipart/form-data" role="form">
<div class="col-md-4 form-group">
<label for="SubjectMaterialTitle">Subject Material Title</label>
<input type="text" name="sub_title" placeholder="Subject Material Title" class="form-control" required>
</div>
<div class="col-md-4 form-group">
<label for="Downloadurllink">Download url link</label>
<input type="text" name="sub_url" placeholder="Download url link" class="form-control" required>
</div>
<div class="col-md-4 form-group">
<label for="exampleInputFile">File input</label>
<input type="file" name="sub_file" id="exampleInputFile" required>
<p class="help-block">Upload Image/File upto 2MB size only</p>
</div>
<div class="col-md-4 form-group">
<label for="WritenBy">Writen By</label>
<select class="form-control" name="writen_by">
<?php if(isset($_SESSION['admin_email'])){
echo '<option value='. $_SESSION['admin_username'] .'>'. $_SESSION['admin_username'] .'</option> ';
}
?>
</select>
</div>
</form>
PHP代码
<?php
include("includes/config.php");
global $con;
if(isset($_POST['add_submat'])){
//getting the text data from the fields
$sub_title = $_POST['sub_title'];
$sub_url = $_POST['sub_url'];
$writen_by = $_POST['writen_by'];
//getting image from the fields
$sub_file = $_FILES['sub_file']['name'];
$sub_file_tmp = $_FILES['sub_file']['tmp_name'];
move_uploaded_file($sub_file_tmp,"sub-material-files/$sub_file");
//insert data into table
$insert_submat = "insert into m_study_material (sm_title,sm_downloadurl,sm_image,created_by) values ('$sub_title','$sub_url','$sub_file','$writen_by')";
echo $insert_submat;
$run_submat = mysqli_query($con, $insert_submat);
//error_reporting(E_ERROR);
if($run_submat){
echo "<script>alert('Inserted Successfully.')</script>";
} else{
echo "Not inserted";
}
}
?>
答案 0 :(得分:0)
您忘记添加引号arround值,这就是为什么值正在正确发布。
<?php
if(isset($_SESSION['admin_email'])){
echo '<option value="'. $_SESSION['admin_username'] .'">'. $_SESSION['admin_username'] .'</option> ';
}
?>
答案 1 :(得分:0)
首先修复
<div class="col-md-4 form-group">
<label for="WritenBy">Writen By</label>
<select class="form-control" name="writen_by">
<?php if(isset($_SESSION['admin_email'])): ?>
<option>
<?= $_SESSION['admin_username']; ?>
</option>
<?php endif; ?>
</select>
</div>
其次,您应该考虑在插入之前清理用户输入,因为您的代码目前对Injection attack广泛开放。 See more about SQL Injection in PHP
例如,您可以使用辅助功能,例如
function cleanInput($input)
{
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments
);
$output = preg_replace($search, '', $input);
return $output;
}
function prepare($input)
{
if (get_magic_quotes_gpc())
{
$input = stripslashes($input);
}
$input = cleanInput($input);
return mysql_real_escape_string($input);
}
这样你就可以在任何sql查询之前执行此操作
$sub_title = prepare($_POST['sub_title']);
$sub_url = prepare($_POST['sub_url']);
$writen_by = prepare($_POST['writen_by']);