我想使用$_POST方法将数据通过PHP的PDO保存到数据库。我写了代码,但是给了我一个错误。有谁能弄清楚这一点?
macex.php
function daireekle($daire_no,$dpass,$daire_statu,$daire_adi,$daire_soyadi){
$sql ="insert into users (KULLANICIADI,SIFRE,TIPI,ADI,SOYADI) values ('$daire_no','$dpass','$daire_statu','$daire_adi','$daire_soyadi')";
$insert =$this->connection->query($sql);
}
Blok.html
<?php
$sinif = new macex();
if ($_POST) {
$daire_no = $_POST['daireno'];
$daire_adi = $_POST['daireadi'];
$daire_soyadi = $_POST['dairesoyadi'];
$daire_statu = $_POST['statu'];
$dpass = $_POST['dpass'];
$sinif->daireekle('users', ['KULLANICIADI', 'SIFRE', 'TIPI', 'ADI', 'SOYADI'], [$daire_no, $dpass, $daire_statu, $daire_adi, $daire_soyadi]);
}
?>
答案 0 :(得分:0)
就结构而言,您的代码有点难以理解,但是您肯定会通过注入未经消毒的PDO数据来滥用POST。
如果我想将您的样本转换为可行的样本,我建议进行以下修改:
(注意:假设$this->connection->是您的PDO对象)
Blok.html
(不确定为什么调用此 PHP 文件Blok.html)
<?php
$sinif = new macex();
if ($_POST) {
$sinif->daireekle( $_POST );
}
?>
macex.php
function daireekle( $postArray ){
// Parameterised PDO will mostly prevent SQL Injection, but it's still best practice
// to validate and sanitize your inputs, especially if they are coming from the user
$daire_no = $postArray ['daireno'];
$daire_adi = $postArray ['daireadi'];
$daire_soyadi = $postArray ['dairesoyadi'];
$daire_statu = $postArray ['statu'];
$dpass = $postArray ['dpass'];
// Define the query with positional params
$sql = 'INSERT INTO users (KULLANICIADI, SIFRE, TIPI, ADI, SOYADI) VALUES (?,?,?,?,?)';
// Create an array of your params in the order they apply to the query
$paramsArray = array('$daire_no','$dpass','$daire_statu','$daire_adi','$daire_soyadi');
// Prepare the parameterised query
$query = $this->connection->prepare($sql);
// Execute the INSERT query with the parameters
$query->execute($paramsArray);
}
您当然可以在上面使用不同的变体,包括命名参数,但是按照上面的解释进行简化。