$name = $_GET['fullname'];
$phone = $_GET['phone'];
$address = $_GET['address'];
$size = $_GET['size'];
$toppings = $_GET['toppings'];
$delivery = $_GET['type'];
mysql_connect ("localhost", "root", "") or die ('Error: ' . mysql_error());
mysql_select_db ("pizzaorders");
$query ="INSERT INTO orders (fullname, phone, address, size, toppings, delivery) VALUES ('".$name."', '".$phone."', '".$address."','".$size."','".$toppings."','".$delivery.")";
$done=mysql_query($query);
echo $done;
$total = 0;
$total = sizecost() + deliverycost() + toppingcost();
echo " $name your {$_GET["size"]} pizza will come in 45 minutes.";
echo "Total: $ $total";
echo " Your Toppings are ";
foreach($toppings as $topping) {
echo $topping ;
}
echo "Your Delivery Type:{$_GET["type"]}";
echo "Database Updated";
function sizecost() {
$size = 0;
if ($_GET['size'] == "Small"){
$size+=5;
}
else if ($_GET['size'] == "Medium"){
$size+=10;
}
else if ($_GET['size'] == "Large"){
$size+=15;
}
return $size;
}
function toppingcost() {
$toppings = $_GET['toppings'];
foreach($toppings as $topping) {
$topping=1;
$topping=$topping+1;
}
return $topping;
}
function deliverycost() {
$deliverycost = 0;
if ($_GET['type'] == "delivery") {
$deliverycost += 5;
}
return $deliverycost;
}
答案 0 :(得分:8)
最后一个值在最后缺少单引号。
答案 1 :(得分:2)
在echo mysql_error
mysql_query
答案 2 :(得分:2)
你必须使用mysql_real_escape_string()
来防止 [我的] sql注入。
答案 3 :(得分:2)
使用PDO;
可以节省大量精力$db = new PDO('mysql:host=localhost;dbname=pizzaorders', "root", "");
$query = $db->prepare("INSERT INTO orders
(fullname, phone, address, size, toppings, delivery)
VALUES (?,?,?,?,?,?)");
$query->execute(array($name, $phone, $address, $size, $toppings, $delivery));
或者你可以在那里使用$ _GET []变量。
答案 4 :(得分:0)
首先你可以在屏幕上打印错误,这样你就知道出了什么问题
$done=mysql_query($query) or die(mysql_error());
第二,你在最后错过了一个引用
,'".$delivery.")";
应为,'".$delivery."')";
修改强>
回答你的第二个问题:
我认为你不能在函数
中使用$_GET['type']
最好在函数外部获取类型,然后将其作为参数传递,如下所示:
$type = mysql_real_escape_string($_GET['type']);
deliverycost($type);
并在您的函数中
function deliverycost($type)
{
if(empty($type))
{
//throw error, type cannot be empty
}
$deliverycost = 0;
if ($type == "delivery") {
$deliverycost += 5;
}
return $deliverycost;
}
答案 5 :(得分:0)
确保您逃脱单引号,如:
mysql_real_escape_string($name)
查询将是:
$query ="INSERT INTO orders (fullname, phone, address, size, toppings, delivery)
VALUES ('".mysql_real_escape_string($name)."', '".mysql_real_escape_string($phone)."', '".mysql_real_escape_string($address)."','".mysql_real_escape_string($size)."','".mysql_real_escape_string($toppings)."','".mysql_real_escape_string($delivery)."')";
同样回显查询以查看正在向数据库发送的查询。