我已将下面的代码编写到我的SQL中。它正在做一切正确的事情,除了数据没有保存到数据库。
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$ename = mysqli_real_escape_string($con,$_POST['ename']);
$enumber = mysqli_real_escape_string($con,$_POST['enumber']);
$eemail = mysqli_real_escape_string($con,$_POST['eemail']);
$eproperty = mysqli_real_escape_string($con,$_POST['eproperty']);
$emessage = mysqli_real_escape_string($con,$_POST['emessage']);
$status = "OK";
$msg="";
if ($status=="OK") {
$query = mysqli_query($con,"insert into enquiry (ename, enumber, eemail, eproperty, emessage) values('$ename', '$enumber', '$eemail', '$eproperty', $'emessage')");
print "<div class='alert alert-success'>Your property enquiry has been submitted successfully.</div>";
} else {
$errormsg = "<div class='alert alert-danger'>
<button type='button' class='close' data-dismiss='alert'>×</button>
<i class='fa fa-ban-circle'></i><strong>Please Fix Below Errors : </br></strong>".$msg."</div>"; //printing error if found in validation
}
}
答案 0 :(得分:0)
您的代码向SQL injections开放,使用预备语句。错误就在这里:
values('$ename', '$enumber', '$eemail', '$eproperty', $'emessage')");
这里是$'emessage'的拼写错误,所以请将其更改为:
'$emessage'
答案 1 :(得分:0)
未正确添加最后一条消息变量
$query=mysqli_query($con,"insert into enquiry (ename, enumber, eemail, eproperty, emessage) values('$ename', '$enumber', '$eemail', '$eproperty', '$emessage')");//quote should be before variable itself
您的代码非常容易受到sql注入攻击。在使用
时使用mysqli程序样式的预处理语句使用准备好的陈述,
$stmt = $con->prepare("INSERT INTO enquiry (ename,enumber,eemail,eproperty,emessage) VALUES(?,?,?,?,?)");//bind parameter to prevent sql injection
$stmt->bind_param('sssss', $ename,$enumber, $eemail,$eproperty,$emessage);
if($stmt->execute() === true) {
echo 'enquiry saved';
} else {
echo 'error'. $stmt->error;
}