我试图通过以下方式将表单值传递给addPerson函数。在我的数据库中创建了一个新条目(person),但没有传递任何表单值。仅创建空白条目。如何正确传递表单值?
<form action="<?= site_url("/Admin/addPerson/username/password/accesslevel")?>" method="post" accept-charset="utf-8">
<fieldset>
<legend>Add new user</legend>
<label for="username">Username:</label> <br>
<input type="text" name="username" value="" id="username" />
<br>
<label for="password">Password:</label> <br>
<input type="text" name="password" value="" id="password" />
<br>
<label for="accesslevel">Access Level:</label> <br>
<input type="text" name="accesslevel" value="" id="accesslevel" />
<br>
<input type="submit" name="submit" value="Submit" />
</fieldset>
</form>
控制器功能:
public function addPerson($username, $password, $accesslevel)
{
// add the person to database with
$this->db->query("INSERT INTO usersas6 " .
"(compid,username,password,accesslevel) VALUES " .
"(null,$username, $password, $accesslevel)");
$this->getAllPerson();
$this->template->show('Admin', $this->TPL);
}
答案 0 :(得分:2)
在使用POST方法的同时,您在方法的URL中有一个奇怪的设置参数。
我建议您将site_url("/Admin/addPerson")更改为public function addPerson() {
// GET AND SET POSTED DATA
$username = $this->input->post('username');
$password = $this->input->post('password');
$accesslevel = $this->input->post('accesslevel');
// ESCAPE STRINGS AND INSERT TO DB
$sql = "INSERT INTO usersas6 (compid,username,password,accesslevel) ".
"VALUES (NULL, ".
"'".$this->db->escape_str($username)."', ".
"'".$this->db->escape_str($password)."', ".
"'".$this->db->escape_str($accesslevel)."')";
$this->db->query($sql); // EXECUTE QUERY
$this->getAllPerson();
$this->template->show('Admin', $this->TPL);
}
,然后仅使用POST
@interface Constants : NSObject
+(NSString *)changeDateFormat:(NSString *)currentDate;
@end
你应该总是正确验证输入,这样你就不会在数据库中得到任何xss或sql-injections。