Question

我是php的新手，尝试制作这个简单的表单，但我一直在寻找不同的示例，但是我们已经完成mysql并且我已经完成告诉他切换到mysqli。

<html>
<head>
    <title>

    </title>
</head>
<body>
<form action="process.php" method="post">
<table>
    <tr><th>Student Details</th></tr>
        <tr>
        <td><label for="student_name">Student Name</label></td>
        <td><input type="text" name="student_name" id="student_name"/> </td>
    </tr>
    <tr>
        <td><label for="student_email">Student Email</label></td>
        <td><input type="email" name="student_email" id="student_email"/> </td>
    </tr>
    <tr>
        <td><label for="student_city">Student City</label></td>
        <td><input type="text" name="student_city" id="student_city"/> </td>
    </tr>
    <tr>
        <td><button name= "submit"type="submit">Submit</button></td>

    </tr>

</table>
</form>
</body>
</html>

有人可以查看此代码并告诉我如何：

A）避免以下错误：

未定义的变量：插入C：\ Users \ CEO \ Google      第30行的Drive \ Form \ process.php

警告： mysqli_query（）要求参数1为mysqli，给定为null      在第30行的C：\ Users \ CEO \ Google Drive \ Form \ process.php

B）显然这个表格是一个完全的安全风险，我应该添加什么来修复它？

  <?php
    $server = 'localhost';
    $user = 'root';
    $pass = '';
    $db = 'college';
    $conn = mysqli_connect($server, $user, $pass, $db); //Connect to Database

    if(isset($_POST['submit'])){
        $name = $_POST['student_name'];
        $email = $_POST['student_email'];
        $city = $_POST['student_city'];
    if($name != "" || $email != "" || $city != ""){
    $insert = "INSERT INTO students(student_name, student_email,student_contact) VALUES ('$name','$email','$city')";
    $query = mysqli_query($conn,$insert);
        echo "Data inserted";
        }else{
            echo "Failed to insert data";
        }
    }

    if (!mysqli_query($insert, $conn)) {
        die('Error: ' . mysqli_error($conn));
    }
    echo "1 record added";
    mysqli_close($conn);

Answer 1

您分配到$insert块内的if。但是，您尝试在if块之外执行查询。因此，如果未满足if条件，您仍会尝试调用mysqli_query()，但使用未初始化的变量。您应该将其移到if。

if(isset($_POST['submit'])){
    $name = $_POST['student_name'];
    $email = $_POST['student_email'];
    $city = $_POST['student_city'];

    if($name != "" || $email != "" || $city != ""){
        $insert = "INSERT INTO students(student_name, student_email, student_contact)
          VALUES ('$name','$email','$city')";
        if (mysqli_query($conn,$insert)) {
            echo "Data inserted";
        }else{
            echo "Failed to insert data: " . mysqli_error($conn);
        }
    } else {
        echo "You have to fill in name, email, or city";
    }
}

但是使用准备好的陈述会更好。

if(isset($_POST['submit'])){
    $name = $_POST['student_name'];
    $email = $_POST['student_email'];
    $city = $_POST['student_city'];

    if($name != "" || $email != "" || $city != ""){
        $insert = mysqli_prepare("INSERT INTO students(student_name, student_email, student_contact)
          VALUES (?, ?, ?)") or die(mysqli_error($conn));
        mysqli_stmt_bind_param($insert, "sss", $name, $email, $city);
        if (mysqli_stmt_execute($insert)) {
            echo "Data inserted";
        }else{
            echo "Failed to insert data: " . mysqli_error($conn);
        }
    } else {
        echo "You have to fill in name, email, or city";
    }
}

创建将数据发送到数据库的php表单时出现问题

1 个答案: