我有两段代码似乎无法解决错误。 搜索这个网站,我看到很多其他人有同样的问题。使用一些给定的答案,我用我给出的代码塑造了我的代码,但无济于事。 测试我的表单,传递的所有变量(在php文件中使用“echo”) 我的表单看起来像这样:
<div style="position: absolute; left: 10px; top: 290px; z-index: 6;">
<form name="offerings" action="Offer_done.php" method="POST">
<table>
<tr>
<td align="right">First Name:</td>
<td align="left"><input type="text" name="fname" required vspace="4"
/></td>
</tr>
<tr>
<td align="right">Last Name:</td>
<td align="left"><input type="text" name="lname" required vspace="4"
/></td>
</tr>
<tr>
<td align="right">Email:</td>
<td align="left"><input type="text" name="email" required vspace="4"
/></td>
</tr>
<tr>
<td align="right">Choose Your Card:</td>
<td><input list="card_type" name="card_type" required /></td>
<datalist id="card_type">
<option value="American Express">
<option value="Cirrus">
<option value="Diners Club">
<option value="Discover">
<option value="MasterCard">
<option value="Visa">
</datalist>
</tr>
<tr>
<td align="right">Credit Card Num:</td>
<td align="left"><input type="text" name="c_number" required
SIZE="16" MAXLENGTH="16" vspace="4" /></td>
</tr>
<tr>
<td align="right">CV Code:</td>
<td align="left"><input type="text" name="cv_code" required SIZE="4"
MAXLENGTH="4" vspace="4" /></td>
</tr>
<tr>
<td align="right">Offering Amt($):</td>
<td align="left">$<input type="number" name="amount" value="1"
min="0" step="1.00" data-number-to-fixed="2" data-number-
stepfactor="100" class="currency" id="c1" name="money" required
SIZE="7" MAXLENGTH="7" vspace="4" />
</tr>
<tr>
<td align="right"><INPUT TYPE="submit" VALUE="Submit Your Offering">
</td>
<td><input action="action" onclick="window.history.go(-1); return
false;" type="button" value="Cancel - Back To Index Page" /></td>
</tr>
</table>
</form>
</div>
<!- - - - - - - - - - - - - - - - - - End Form- - - - - - - - - - - - - -
- - - - - - - ->
我要处理和发送的php文件如下所示:
<?php
$conn = mysqli_connect("localhost", "root", "xuncle", "offerings");
if(!$conn) {
die("connection failed: " .mysqli_connect_error());
}
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
$card_type = $_POST['card_type'];
$c_number = $_POST['c_number'];
$cv_code = $_POST['cv_code'];
$amount = $_POST['amount'];
$mysqli_query = "INSERT INTO givers (fname, lname, email, card_type,
c_number, cv_code, amount)
VALUES ($fname, $lname, $email, $card_type, $c_number, $cv_code,
$amount)";
$result = mysqli_query($conn,$sql);
header("Location: index.html");
?>
有人可以让我回到正轨吗?
答案 0 :(得分:1)
此行中有一个拼写错误$result = mysqli_query($conn,$sql);
您需要将其更改为$result = mysqli_query($conn,$mysqli_query);
,如@Akintunde所述。
我建议你使用prepared statements。这些是由数据库服务器与任何参数分开发送和解析的SQL语句。 查看How can I prevent SQL injection in PHP?
<?php
if(isset($_POST)){
$conn = mysqli_connect("localhost", "root", "xuncle", "offerings");
if (!$conn) {
die("connection failed: " . mysqli_connect_error());
}
$result = mysqli_prepare($conn, "INSERT INTO `givers` (`fname`, `lname`, `email`, `card_type`, `c_number`, `cv_code`, `amount`) VALUES (?, ?, ?, ?, ?, ?, ?)");
mysqli_stmt_bind_param($result, "ssssssd", $_POST['fname'],$_POST['lname'],$_POST['email'],$_POST['card_type'],$_POST['c_number'],$_POST['cv_code'],$_POST['amount']);
mysqli_stmt_execute($result);
header("Location: index.html");
}
?>
答案 1 :(得分:0)
在上面的代码中,您在执行查询时访问了错误的变量。此外,您的代码风险很大,因此您需要开始使用预准备语句,因为您使用的API支持它。这有助于防止SQL注入。
您的最终代码是:
$conn = new mysqli("localhost", "root", "xuncle", "offerings");
if(!$conn) {
die("connection failed: " .$conn->connect_error);
}
$stmt = $conn->prepare("INSERT INTO givers (fname, lname, email, card_type, c_number, cv_code, amount) VALUES (?, ?, ?, ?, ?, ?, ?)");//prepare the statement
$stmt->bind_param("sssssss", $fname, $lname, $email, $card_type, $c_number, $cv_code, $amount);//bind placeholders to variables
if($stmt->execute() === true){//everything went fine
header("Location: index.html");
//echo 'Data saved successfully';
} else {
echo 'Error. Data not saved. '.$conn->error;//get error
}