PHP仅将VAR添加到VARCHAR列中的sql

Question

PHP仅在VARCHAR列中将Numbers添加到MySQL而不是文本 当在MySQL中直接使用查询时，它可以工作......但是如果我使用HTML中的$_POST，IT就会失败 我不知道失败的原因。这有什么问题？

<?php 
    $link=mysqli_connect("localhost","root","","home_ac");
    if(mysqli_connect_error()) {
        die("error in database");
    }

    $name =$_POST["name"];
    $query = "INSERT INTO `test`(`number`, `name`) VALUES (NULL,$name)";

    if(mysqli_query($link, $query)){
        echo "done";
    }
    else {
        echo "failed";
    }   
?>

<!doctype html>
<html>
    <head>
    <meta charset="utf-8">
        <title>Untitled Document</title>
    </head>

    <body>
        <form method="post">
            <input type="text" placeholder="enter a name" name="name">
            <input type="submit" value="add">
        </form>
    </body>
</html>

Answer 1

您需要围绕文字引用

$query = "INSERT INTO `test`(`number`, `name`) VALUES (NULL,'$name')";

请考虑准备好的查询。它解决引用问题并防止SQL注入。

Answer 2

您必须使用PHP准备语句或PHP数据对象（PDO）。

例如，使用PDO：

<html>
    <head>
    <meta charset="utf-8">
    <title> Example PDO Insert </title>
    </head>

    <body>
    <form method="post" action="" name="myForm" id="myForm">

        <input type="text" placeholder="Enter Your Name" name="name" required="required">
        <input type="submit" name="submit" value="add">
    </form>
    </body>
</html>




<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "home_ac";

try {

    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);


    if ( isset($_POST['submit']) && !empty($_POST['name']) ) {
        # code...

    $sql = "INSERT INTO test (number,name) VALUES (NULL,'$name')";
    // use exec() because no results are returned
    $conn->exec($sql);
    echo "New record created successfully";

    }

}
catch(PDOException $e)
    {
    echo $sql . "<br>" . $e->getMessage();
    }

$conn = null;
?>