我正在尝试制作一个表单并将其上传到我的数据库中,但是它不起作用。
这是我的HTML代码:
<form name="Form-Request" method="post" action ="icn/form.php">
<div>
<p><input type = "text" placeholder="Name" name = "name"></p>
<p><input type = "email" placeholder="Email-address" name = "email"></p>
<p><input type = "text" placeholder="Virtual Airline" name = "va"></p>
<p><input type = "text" placeholder="Virtual Airline (IATA Code)" name = "va-iata"></p>
<p><select name="pricing">
<option>Free</option>
<option>Business</option>
<option>Pro</option>
</select></p>
<p><select name="vam-vms">
<option>PHPVMS</option>
<option>VAM</option>
</select></p>
<p><input type = "text" placeholder="Additional Info" name = "add-info"></p>
<input class="button-primary" type="submit" value="Submit">
这是我的PHP发布文件,我已经输入了数据库详细信息,但是我不想共享它:):
<?php
$name = $_POST['name'];
$email = $_POST['email'];
$va = $_POST['va'];
$vaiata = $_POST['va-iata'];
$pricing = $_POST['pricing'];
$vamvms = $_POST['vam-vms'];
$additionalinfo = $_POST['add-info'];
<?php
$servername = "host";
$username = "username";
$password = "password";
$dbname = "dbname";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "INSERT INTO request_site (Name, Email Address, Virtual Airline, Virtual Airline IATA, Pricing, VAM/PHPVMS, Additional info)
VALUES ('$name', '$email', '$va', '$vaiata', '$pricing', '$vamvms', '$additionalinfo' )";
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
谢谢。
答案 0 :(得分:0)
此代码应做一些事情。
首先,由于您尝试使用表单中的每个字段,因此应将required
属性添加到每个输入字段。
第二,由于您要提交发布请求,因此我建议您在PHP脚本中检查请求是否为POST,并检查您尝试从POST获取的值是否存在。这样可以防止某人简单地导航到您的脚本并试图不正确地执行它:
<?php
if (
$_SERVER['REQUEST_METHOD'] === 'POST' &&
array_key_exists('name', $_POST) &&
array_key_exists('email', $_POST) &&
array_key_exists('va', $_POST) &&
array_key_exists('va-iata', $_POST) &&
array_key_exists('pricing', $_POST) &&
array_key_exists('vam-vms', $_POST) &&
array_key_exists('add-info', $_POST)
) {
/* ... */
} else {
http_response_code(401);
}
?>
第三,请勿使用mysqli
。 PDO class自PHP 5.1.0起问世,是连接数据库的首选方法。在这种情况下,请使用Try / Case语句尝试建立PDO连接:
try {
/* database configuration */
$servername = "host";
$username = "username";
$password = "password";
$dbname = "dbname";
/* establish a PDO connection */
$dsn = "mysql:dbname=$dbname;host=$servername;charset=utf8mb4";
$db = new PDO($dsn, $username, $password);
$db -> setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db -> setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
/* run SQL query */
} catch(PDOException $ex) {
/* handle database error */
}
第四,您需要稍微调整一下SQL语句,我认为这是导致某些错误的地方。通常,最佳做法是使用反引号对列名进行转义,但是在这种情况下,由于看起来列名中包含空格,因此实际上是有必要的(加name
也可能是关键字)。最好的做法是使用参数来防止SQL注入。这个想法是,您在SQL查询中传递一个带有:
前缀的用户定义名称,该名称对应于在要传递的数组中定义的值:
/* Insert all the values in the request_site */
$stmt = $db->prepare('
INSERT INTO `request_site` (
`Name`,
`Email Address`,
`Virtual Airline`,
`Virtual Airline IATA`,
`Pricing`,
`VAM/PHPVMS`,
`Additional info`
) VALUES (
:name,
:email,
:va,
:vaiata,
:pricing,
:vamvms,
:additionalinfo
);
');
$stmt->execute(array(
':name' => $name,
':email' => $email,
':va' => $va,
':vaiata' => $vaiata,
':pricing' => $pricing,
':vamvms' => $vamvms,
':additionalinfo' => $additionalinfo
));
将所有内容放在一起,您将得到:
<?php
if (
$_SERVER['REQUEST_METHOD'] === 'POST' &&
array_key_exists('name', $_POST) &&
array_key_exists('email', $_POST) &&
array_key_exists('va', $_POST) &&
array_key_exists('va-iata', $_POST) &&
array_key_exists('pricing', $_POST) &&
array_key_exists('vam-vms', $_POST) &&
array_key_exists('add-info', $_POST)
) {
/* put the $_POST values in variables */
$name = $_POST['name'];
$email = $_POST['email'];
$va = $_POST['va'];
$vaiata = $_POST['va-iata'];
$pricing = $_POST['pricing'];
$vamvms = $_POST['vam-vms'];
$additionalinfo = $_POST['add-info'];
try {
/* database configuration */
$servername = "host";
$username = "username";
$password = "password";
$dbname = "dbname";
/* establish a PDO connection */
$dsn = "mysql:dbname=$dbname;host=$servername;charset=utf8mb4";
$db = new PDO($dsn, $username, $password);
$db -> setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db -> setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
/* Insert all the values in the request_site */
$stmt = $db->prepare('
INSERT INTO `request_site` (
`Name`,
`Email Address`,
`Virtual Airline`,
`Virtual Airline IATA`,
`Pricing`,
`VAM/PHPVMS`,
`Additional info`
) VALUES (
:name,
:email,
:va,
:vaiata,
:pricing,
:vamvms,
:additionalinfo
);
');
$stmt->execute(array(
':name' => $name,
':email' => $email,
':va' => $va,
':vaiata' => $vaiata,
':pricing' => $pricing,
':vamvms' => $vamvms,
':additionalinfo' => $additionalinfo
));
echo 'New record created successfully';
} catch(PDOException $ex) {
/* handle database error */
echo 'Connection failed: ', $ex->getMessage();
}
} else {
http_response_code(401);
}
?>